Friday Squid Blogging: Fake Squid Seized in Cambodia

Falsely labeled squid snacks were seized in Cambodia. I don't know what food product it really was.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on November 24, 2017 at 4:31 PM • 134 Comments


JG4November 24, 2017 6:29 PM

As always, I appreciate the excellent discussion and ideas. I tried to submit a comment yesterday, probably to last week's squid post, but I got the comment blocked message. Nothing profound - just four Big Brother and Police State headlines from NakedCapitalism yesterday and some holiday wishes for those who celebrate Thanksgiving. Thought that it might get released overnight or this morning As long as I can buy reasonable bandwidth at a reasonable price, I'm almost OK with ending net neutrality.

Your Telegram(tm) OverlordsNovember 24, 2017 10:27 PM

Yesterday slashdot ran this headline

then this one

The irony of Google nuking an entire internet communications channel due to the alleged unlawful content of a fraction of it, without a court order got to me. Net Neutrality Hypocrisy.

Jonathan WilsonNovember 24, 2017 10:39 PM

I cant recall seeing it mentioned on here but I may have missed it.
If you have an Intel system you should check if you are vulnerable to the huge Intel ME flaw by using the Intel detection tool:

If you are vulnerable you need to look for a BIOS update (in my case I have a Gigabyte motherboard bought loose and assembled into a system so I contacted Gigabyte for a BIOS update which I installed yesterday) to close the holes.

Clive RobinsonNovember 24, 2017 10:53 PM

@ more on antibiotic problems,

fecal transplants

From records about half a decade old, about 1/3 of the 90,000 fatalities due to "Hospital Acquired Infections" (HAI) in the US annually were due to Clostridium difficile (c.diff / c.difficile) infections[1][2].

From the same data around half a million HAI Clostridium difficile infections occured, all of which have significant issues and significantly delay hospital discharges. It also appears to fall disproportionately on women suggesting that in the US there are socio economic factors involved.

The most frequent cause of c.diff susceptibility is the use of antibiotics or drugs to reduce stomach acid production (proton pump inhibitors). Both of which cause gastric problems which encourage colonization by Clostridium difficile. So even if the c.diff symptoms clear up an individual remains an infection vector and more susceptible to further oubreaks of symptoms.

Whilst the use of the strongest antibiotics only work in less than one third of Clostridium difficile infections "fecal transplants" are known to have a much higher success rate without the serious side effects of the vancomycin etc antibiotics. As indicated by the study the implanting of doner fecal matter by colonoscopy is both the most effective and least unsettling for the recipient of the transplant. However colonoscopy is it's self not without risk though the figures are improving[4].

Potentially then fecal transplants, if administered in a timely fashion, will cut 25-30 thousand needless deaths anually in the US alone. As well as saving between $1.5-2billion in direct costs.

But of more interest to others are the secondary effects. It will free up around 3.5million days of critical care resources and reduce the usage of our most precious antibiotics thus reduce in part the chance of drug resistance increasing. But there are further savings in that the transplants unlike antibiotic treatment reduce the numbers colonized thus reduce the numbers of infection vectors in the community.

However fecal transplants and phage treatments are not going to make the Drugs or health insurance companies money, thus research in these treatments in the US has not received the funding they should have done. Which might account for why this overdue systamatic review of studies was not from the US but the UK, even though the actual studies reviwed were not carried out in the UK.

As noted by the report the effectivness of stoping a c.diff infection is over 90% wilst some studies show that reinfection or colonization figures are also reduced unlike the use of strong antibiotics which only stop aroind 30% of infections and have much less effect on reinfection or colonization.

Thus it's definitly time to atleast carry out further studies to see if there are other things we should be aware of with fecal transplants.

[1] It's been claimed that improved cleaning techniques such as Terminal Room Clening have reduced HAI but there is insufficient data to say by how much[3]. And HAI is not something you want to run double blind tials on for obvious reasons.

[2] To put the number of HAI C.diff fatalities in perspective thats a similar number to those who die in another quite preventable mannar of road deaths by inapropriate driving.

[3] HAI is on the rise world wide for various reasons including Socio Economic decline and the resulting clusters of illness in socio economically depressed communities giving "Sick City Syndrome". The problem with such communities is they carry illnesses into the rest of the community and end up increasing illness and fatalities even in the wealthiest of communities. In the US it's been of concern for some time and it was one of the things Obama Care was originally designed to reduce if not eliminate. That was before it got decimated by various political interest groups. With the result that as some have put it "Health Insurance Stocks have been on a bonanza time"...

[4] The simplest explanation for this is that the number of colonoscopies are on the rise due to reduction in equipment costs and more trained practitioners. Thus those given them as a patient cohort are generally healthier.

Clive RobinsonNovember 24, 2017 11:15 PM

@ Jonathan Wilson,

If you have an Intel system you should check if you are vulnerable to the huge Intel ME flaw by using the Intel detection tool ... If you are vulnerable you need to look for a BIOS update

Whilst I agree that people need to be aware if their CPU is vulnerable...

I'm not so sure on the BIOS/UEFI firmware update yet, unless they know for certain they can "step back".

The reason is if you get a firmware update you will end up with a working Intel ME which you probably do not want. If you have the old firmware that enables you to get at the Intel ME and inhibit it, it may be of more value to you in the long run.

That is being able to get at the Intel ME in the likes of Android tablets and pads will potentially give you the opportunity to root the device in a safe way such that you actually get ownership of the hardware you purchased. Thus in turn get rid of a load of manufacturer installed crapware and malware that "phones home" with either your data, your location or both, to your detriment.

ClipperNovember 25, 2017 12:36 AM

Regarding Intel ME, the best route to safety is to somehow disable it. This usually needs an external flasher to perform some SPI programming and apply the me_cleaner script. The main difficulties are:

1. You have to disassemble your device till you can attach a clip or cables on the BIOS chip

2. Use your flasher (buspirate or rpi and so on) to reprogram the BIOS chip

If your device is supported, you can also install coreboot or libreboot while you have the flasher connected.

hmmNovember 25, 2017 2:08 AM

"As long as I can buy reasonable bandwidth at a reasonable price, I'm almost OK with ending net neutrality."

Severely under-thinking it. Try again.

hmmNovember 25, 2017 2:14 AM

Jeffrey Tucker's by-line is "we should take our deregulation where we can get it."

These people are paid to be morons. His whole argument is that when additional costs are inevitably placed on the market that we're already getting for free, part of the whole "free market" thing applied to the internet paradigm, that magically "corporations will innovate" and "internet socialism will die."

These people should be tarred and feathered. Privatizing the social commons is just standard oil-fired thinking.

No wonder they all fall for it, like rhetorical jobless slopes into a shuttered coal mine shaft.

hmmNovember 25, 2017 2:19 AM

The internet isn't theirs to privatize. They are legalizing theft and auctioning it.

People who agree to sellout-ism like this are the traitors among us.

RachelNovember 25, 2017 4:31 AM

I actually dont know what Thanksgiving is or why you folks celebrate it, but happy holidays anyway. It has a Football connection yes? Mr Schneier would you feel to report on the Uber breach?
Sincere condolences to everyone whom stored their data with Uber, and did not know they were compromised. Class Actions have been filed already

RachelNovember 25, 2017 4:36 AM

Clive appreciate the fecal transplant discourse thankyou. Further to your point, researchers are flocking to areas where there is less or no historic use of antibiotics, for sourcing fecal matter with a full spectrum of healthy bacteria. It seems even one use of antibiotics can permanently alter ones flora and this can even be hereditary. Zimbabawe from memory was one such area researchers were keen on. The downside of fecal transplants is what they dont know is living in there

Gunter KönigsmannNovember 25, 2017 5:18 AM

Arts plan sounds good. But I already have a router that adheres to standards and gets updates. Which is all they promse. The only thing they propose to do different is that they want to choose the software for me. Or did I misunderstand their proposal? In Germany we had network providers that only worked with their boxes. That they did not allow you to replace with others for security reasons. And that tended to fail to provide internet or telephone access for months.

Will ATTs devices have a microphone?

Who?November 25, 2017 5:30 AM

@ Clive Robinson, Clipper

Hi guys.

I believe you are thinking on a fix to last augusts' Positive Technologies discovery of the "Alt Disable Mode" by means of the reserve_hap field, while Jonathan Wilson refers to Intel-SA-00086 security advisory (i.e., the Intel security advisory covering CVE IDs CVE-2017-5705, CVE-2017-5706, CVE-2017-5708, CVE-2017-5709, CVE-2017-5711 and CVE-2017-5712).

I agree with most people here. The former should be seen as a feature, not a bug, (in fact, it was designed on purpose to meet NSA's High-Assurance Platform (HAP) requirements), while the latter are a set of multiple buffer overflows and privilege escalation bugs found recently on Intel firmware.

My advice would be applying the fixes as soon as possible.

No, I do not think Intel will remove the reserve_hap field as it is valuable to win contracts with the Department of Defense.

Clive RobinsonNovember 25, 2017 10:24 AM

@ Wael,

He's busy with a new position he took and a new place he moved to.

Hopefully he'll settle in soon, but untill then let him know several of us said Hi.

Likewise Mike the Goat and RobertT.

@ Figureitout,

If you are reading along as you study, hopefully your course etc is going well.

WaelNovember 25, 2017 10:56 AM

@Clive Robinson,

but untill then let him know several of us said Hi.

He uses his real name. The first few lines in a Google search will give you the information you need along with his bad-ass picture! He's not someone you'd want to mess with ;)

@Dirk Praet,

Your wisdom, knowledge and bar adventures are sorely missed here. Did you get caught with the wrong woman of ill repute, or did you have another calamari meal? It's okay, you're among friends :)

albertNovember 25, 2017 12:02 PM

"What is a mouse when it spins?"

"The higher, the fewer."*


"What is a riddle named 'Nelson'?

Answer in the next Squid Blog.....

* there are variations on this. To my knowledge, no deep research. Thoughts?

. .. . .. --- ....

echoNovember 25, 2017 12:41 PM

SAN FRANCISCO (Reuters) - A bipartisan Harvard University project aimed at protecting elections from hacking and propaganda will release its first set of recommendations today on how U.S. elections can be defended from hacking attacks.

More than a Million Pro-Repeal Net Neutrality Comments were Likely Faked
I used natural language processing techniques to analyze net neutrality comments submitted to the FCC from April-October 2017, and the results were disturbing.

I perceive rotten politicians as no different to malware and bad data. Both articles are very US centric but I believe a useful comment on stepping back from "winning the game for the sake of winning regardless of the cost". It may also be an indirect comment on partisan UK politics and cheating during the EU membership referendum. (I have avoided naming political parties and individuals and taking sides to remain neutral and not dilute discussion about the system.)

Clive RobinsonNovember 25, 2017 12:47 PM

@ Rachel,

It has a Football connection yes?

Err no... The nearest the first Puritin Seperatist settlers --Pilgrims-- got to any modern game was probably "Darts"[1]. Basically there was a game played amoungst troops using broken or cut down arrows with weights that were hand thrown at targets mainly for sport to pass the time. Which supposedly taught them some simple hunting skills for small game, bearing in mind most soldiers back then had to source their own food (which is why camp followers were rather more, than modern school history classes make them out to be).

It's known that this game was played by the First English settlers in 1607 onwards in James town but... All good things come to an end as they say and the Pilgrim and Puritans obviously felt that such pass times were not the work of God, nor were many other things.

Hence with the arival of Sir Thomas Dale in 1611 as High Marshal --Governor-- he brought about significant changes[2]. Amongst which was the banning of all games amongst the troups (which would have included the early form of darts).

It is believed that a variation of this early darts game was played on many ships of the time to keep crew and passangers amused during what were very long journies. Various historians have reason to believe it would have been played on the Mayflower. Which arived in America nearly a decade later and anchored initiakly at Provincetown Harbor on November 11, 1620. Due to various factors they then moved to what was known as "New Plymouth" on charts and due to the lateness of the year effectively "over wintered on board". Thanksgiving is supposadly in remembrence of a meal the Puritain Pilgrims sat down and ate as the equivalent of a harvest festival --but without the three days of revelry-- the following year (which would have been near the time Canada celebrates Thanksgiving).

However by this time there would have been little for the colonist to be thankfull for. Nearly half the Puritan Seperatist settlers had died and only two women of child baring age survived. The collony would have known beyond doubt that they were doomed if not resupplied with both supplies and people.

Around july of 1623 such a ship arived and this realy would have been the first Pilgrim Thanksgiving" (referring to solemn ceremony of praise and thanks to God for a congregation's good fortune). It probably would have consisted of a full day of prayer and worship by both the existing colonists and the new arivals.

The fact that the colony became established in the first place was more by luck than judgment. There had been an epidemic in the indigenous population (hence Indian Americans) thus land that they had cleared and farmed was available. Further atleast two of the local tribes members spoke English and one of them welcomed the colonists, thus a peace treaty of mutual support was drawn up.

Other adventurers fared less well if you study the history of Scottland you will read about the disasterous attempt to set up the colony of Calidonia in the 1690's (The Darien scheme[3]) in the mosquitoes infested swamps of what is now a nearly unused part of modern Panama. The scheme effectively bankrupted Scottland and gave rise to the 1701 union and "The Equivalent" a sum negotiated at £398,000 that ended Scotish economic independence. Although much of the money went to compensate political cronies that had lost significant sums in the Darien Scheme. The man behind the disaster that was the Darien Scheme went on to set up the English South Sea company that likewise turned into another disaster known as "The South Sea Bubble" I mentioned a couple of days ago.


[2] See pages 96 onwards.


Bob PaddockNovember 25, 2017 1:12 PM

@Clive Robinson

Effects of control interventions on Clostridium difficile infection in England: an observational study from The Lancet.

Dramatic declines in Clostridium difficile infections in English hospitals appear to result from restrictions avoiding cephalosporin antibiotics (to which C diff is almost universally resistant) and clindamycin, minimizing the use of fluoroquinolones , carbapenems, and aminopenicillin.

Fluoroquinolone Antibiotics need removed from the market. There is no known safe dosage. You can take them many times without the devastating side effects, until you take that one last pill, perhaps years later. The side effects are frequently delayed, typically by six months, just long enough that the person does not associate their now devastated health with the Cipro, or Levaquin they took six months ago.

Fluoroquinolones have recently been discussed as a herbicide. Just because you did not take a pill does not mean you have not been exposed as they are in the food supply.

If you think Fluoroquinolones are bad, pray that Peptide-Conjugated Phosphorodiamidate Morpholino Oligomer (PPMO) Antibiotics, never reach the market.

PPMO's are a synthetic analog of DNA or RNA that has the ability to silence the expression of specific genes, could have even worse long term effects on the Human Genome than the Fluoroquinolone Antibiotics.

Fluoroquinolones go by many names.

These two recently approved by the FDA:

Quinsair - Inhaled Levofloxacin. Being promoted for lung infections.
Baxdela (delafloxacin). Being promoted for skin infections.

Fluoroquinolone Eye Drops:

Besivance (besifloxacin)
Cetraxal, Ciloxan (ciprofloxacin)
Iquix, Quixin (levofloxacin)
Ocuflox (ofloxacin)
Vigamox (moxifloxacin)
Zymar (gatifloxacin)
Moxeza (moxifloxacin)

Fluoroquinolone Ear Drops:

Cetraxal, Ciprodex (ciprofloxacin)
Floxin (ofloxacin)
Xtoro (finafloxacin)

Veterinary Fluoroquinolones - Yes, they Flox our pets too!:

Advocin, Advocid (danofloxacin)
Baytril (enrofloxacin)
Dicural, Vetequinon (difloxacin)
Floxasol, Saraflox, Sarafin (sarafloxacin)
Ibaflin (ibafloxacin)
Marbocy, Zeniquin (marbofloxacin)
Orbax, Victas (orbifloxacin)

Fluoroquinolone generation. Many have already been removed from the market.

First Generation:

Flumequine Flubactin
Nalidixic acid NegGam, Wintomylon
Oxolinic acid Uroxin
Piromidic acid Panacid
Pipemidic acid Dolcol
Rosoxacin Eradacil

Second Generation:

* Cipro, Cipro XR, Ciprobay,
Enoxacin Enroxil, Penetrex
Lomefloxacin Maxaquin
Nadifloxacin Acuatim, Nadoxin, Nadixa
Norfloxacin Lexinor, Noroxin, Quinabic, Janacin
Ofloxacin Floxin, Oxaldin, Tarivid
Pefloxacin Peflacine
Rufloxacin Uroflox
Tosufloxacin Ozex, Tosacin

Third Generation

Balofloxacin Baloxin
Gatifloxacin Tequin, Zymar
Grepafloxacin Raxar
Levofloxacin * Cravit, Levaquin
Moxifloxacin * Avelox, Vigamox
Pazufloxacin Pasil, Pazucross
Sparfloxacin Zagam
Temafloxacin Omniflox
Tosufloxacin Ozex, Tosacin

Fourth Generation

Besifloxacin Besivance
Gemifloxacin Factive
Sitafloxacin Gracevit
Trovafloxacin Trovan
Prulifloxacin Quisnon

VNovember 25, 2017 2:56 PM

@echo says:
> I perceive rotten politicians as no different to malware and bad data.

John Carpenter's "Bomb #20" said much the same thing 40 years ago.

albertNovember 25, 2017 3:27 PM

I got mine from my uncle (who was a math major at Georgia Tech and later worked for the Company). He showed me the first magnetic core memory at the college, when I was just a lad. Google tells me I've reached my viewing limit. Interesting. I never used Google Books. I didn't bother contacting support (which is mostly user groups anyway). Some companies are too big to fail, and some are too big to support their users.
@Bob Paddock,
As I said, the chemical/drug companies can, entirely on their own, can eliminate all human life on the planet. This is the way the world ends, with a bang, or a whimper.
Jeffrey Tucker's article is total BS. It's akin to the garbage from corporate propagandists 'explaining' how tax cuts will increase employment. 40 years and counting. Are there any corporatists out there who actually -believe- this stuff? They are in desperate need of mental health facilities, which are apparently unnecessary today.

. .. . .. --- ....

WaelNovember 25, 2017 5:21 PM


"What is a riddle named 'Nelson'?

Baby Face Nelson. (Bullet-riddled.)[1]

[1] Web search. Have no clue who that is, but there is a pun.

AnuraNovember 25, 2017 10:47 PM


Sounds to me like the government is using bureaucracy to silence the flat Earth truthers!

Clive RobinsonNovember 26, 2017 12:07 AM

@ Wael,

[Baby Face Nelson, I] Have no clue who that is

Lester Joseph Gillis. Born 6th Dec 1908 in Chicago, his parents are thought to have been Belgium immigrants. Known as a boy with a temper he started getting into trouble at an early age. He was known to have turned to crime by the time he was 13years old.

Because he had a very young look and was not that tall even for the times he ws nicknamed "Baby Face" by fellow street thugs. He married young to a girl four years younger than himself and they soon had two children. His wife continued to call herself Helen Gillis, long after "Baby Face" had started using the name "Nelson". He died of wounds received --in a gun fight the previous day-- 28th Nov 1934 aged just 25 years. He had been shot 17times during the gun fight but had killed two FBI agents and escaped with his wife and a fellow criminal. His wife now barely an adult was later arrested and sent to jail for a year for parol violations (Harbouring a criminal).

In his short life Nelson had became a prolific bank robber and thought little of killing those who stood in his way. His notoriety led to him being declared "Public Enemy Number 1" by J.Edgar Hoover shortly after the death of John Dillinger.

1920's America was just coming to terms with the preasures created by an influx of immigrants turning what were large towns twenty years earlier into over crowded cities with what are best described as ethnic ghettos[1]. Landlords put up shoddy tenement accommodation quickly and rapidly filled them beyond overflowing. Kids effectively lived on the street as there was no room at home to do much more than eat and sleep. Even washing and personal hygiene were done in shared or public facilities. There was also a surplus of guns and ammunition "left over" from WWI production etc that were readily available. Further the inability of returning soldiers to find any let alone decent jobs gave rise to more sophisticated and violent crime for children to all to quickly grow into.

Two events happened in the year of Baby Face's birth that would seriously effect his and other street kids all to short childhood and even shorter adulthood. These were the first of the Ford Model-T cars and later utility vehicles and the founding of the FBI.

Due to the rapid rise of the car --15 million Model T Fords were made-- people had easy access from State to State. Which due to the way the laws and law enforcment worked at the time provided hardened criminals with the easy respite of crossing a state line. It was this problem with interstate law enforcment and criminals in politics, the police and industry that gave rise to many new "federal crimes" and thus the FBI to act where corrupt local cops and politicians would not. Unfortunately as even the FBI historians admit the FBI was not very effective for the first fifteen years and got it's self mired in the "Teapot Dome" scandle. Thus a new broom was brought in to clean house, one of his first acts was to sack the three female agents, women did not return untill he died in 1972. Unfortunately he also became as we now know the most corrupt politician and cop of record in the US, he was J.Edgar Hoover.

[1] I'm using the word ghetto in what would be the terms of today. Where US Cities like Chicago are still described as having "ghetto environments" where street crime is rife. For many little has changed in a century and Chicago PD still has a very bad reputation including the likes of illegal detention centers and rumours of "disappearing" people and using tourture.

WaelNovember 26, 2017 12:36 AM

@Clive Robinson,

Lester Joseph Gillis. [...] J.Edgar Hoover.

Interesting history. Didn't know where your story would lead me to. But Hoover wasn't on my mind.

he also became as we now know the most corrupt politician and cop of record in the US,

Two key phrases :)

Clive RobinsonNovember 26, 2017 1:04 AM

@ Willow,

SomeGuy cancels rocket launch to prove Earth is flat when BLM seeks permits

A "steam powered" rocket no less[1] how quaint.

Mind you by the look of the photos it will not realy fly, just blast up and either fall apart, or get ripped appart by air flow. Pop rivets are not the way you want to go...

[1] Whilst "steam powered" sounds very Victorian, it was what the WWII German Messerschmitt Me 163A prototype rocket plane used, though the production planes used a sloghtly different system[2]. Basically you use very concentrated hydrogen peroxide (T-Stoff) and a catalyst (Z-Stoff).The highly exothermic reaction heats the "water" part of the hydrogen peroxide to uncompressble steam which vents along with other catalitic products out of the combustion chamber throat to generate thrust via a venturi effect.

[2] later versions of the plane 163B used T-Stoff and simply added it to a fuel (C-Stoff) such as hydrazine to form a hypergolic mixture[3]. Such hypergolic liquid engines have advantages over cryo-liquid systems and also solid fuel systems and form a middle ground. All three types of engine were used with the space shuttle.


ClipperNovember 26, 2017 4:54 AM


If you disable ME using HAP, I guess that would eradicate the mentioned ME vulnerabilities, since ME wouldn't be active anyway. A drastic measure, but it takes care of the problem altogether.

HermanNovember 26, 2017 5:51 AM

Phlat Earth:
My line of sight microwave radio link require the earth to be flat. The links work. Therefore The earth is flat and it is resting on the back of a turtle, just like Terry Pratchett wrote. QED.

RachelNovember 26, 2017 7:07 AM

Thanks for that! And 400 years later the US are still celebrating! So, lets see:
At thanksgiving a US person & theur family 1. get glum about lost pastimes 2. get really hungry 3. finally get to eat 4. engage in worship and prayer for a full day 5. engage in treaties
And here I was thinking it was about the family celebrating their Gridiron team.
My life is enriched

Who?November 26, 2017 7:21 AM

@ Clipper

If you disable ME using HAP, I guess that would eradicate the mentioned ME vulnerabilities, since ME wouldn't be active anyway. A drastic measure, but it takes care of the problem altogether.

Yes, I know it.

In the past I show other methods to permanently disable Intel ME even if the reserve_hap field or me_cleaner tool are not a choice.

My point was that it made no sense suggesting not patching the ME bugs recently discovered as a consequence of an unrelated feature.

ClipperNovember 26, 2017 7:53 AM


In the past I show other methods to permanently disable Intel ME even if the reserve_hap field or me_cleaner tool are not a choice.

Somehow I have missed that, what was the suggested method?

ClipperNovember 26, 2017 8:00 AM

If I am not mistaken, the suggested method was filtering out ME traffic using an intermediate device?

CallMeLateForSupperNovember 26, 2017 8:12 AM

"And here I was thinking [Thanksgiving] was about the family celebrating their Gridiron team."

That is accurately described by your #4, "engage in worship and prayer for a full day".

rNovember 26, 2017 9:25 AM


RE: bacterial computadors

My argument? They, the bacteria have been doing it for years... The only trick is we're only now gaining access to the mathematical chemical and geometric properties required for finer grained access and communication with such /devisions/.

Lunch cards anyone?

Who?November 26, 2017 9:25 AM

@ Clipper

Somehow I have missed that, what was the suggested method?

Easy... just install a second NIC on the computer, this one unsupported by the firmware.

Firmware is just another type of software, there is no magic on it even if it has an incredibly powerful low-level control of the device. If you install a NIC that Intel ME does not support then it will be unable to talk to the world using that interface. Of course it does not stop local attacks against Intel ME, but at least Intel ME will run on a network interface isolated from the Internet.

Yeah, there are other risks. There is a chance all our computers have some sort of yet-to-be-discovered WWAN on their chipsets (I am surprised it has not been found yet if it exists, as even the antenna on the new i9 processors is known right now). ME firmware can be reached using the wireless network interface too, but it is another sort of local attack. I think adding an unsupported NIC --one only known to the operating system, not the firmware-- is a very good first step in a security-in-depth approach against rogue hardware.

rNovember 26, 2017 9:27 AM


Unsupported by the firmware but operating within the confines of DMA, be wary of any assumptions.

Who?November 26, 2017 9:44 AM

@ Clipper

If I am not mistaken, the suggested method was filtering out ME traffic using an intermediate device?

Blocking ports 623/udp, 664/udp, 5900/tcp and 16992:16995 in both udp and tcp may work, but a really two-faced firmware (and Intel ME may be!) should be able to hide its activity as HTTP traffic (I would be surprised if this odd behavior exists in current firmware and has not been discovered yet). On my network only a single computer is able to reach the ports 80 and 443 of remote hosts, but it is not a complete fix to the ME issue. At some time the "browser computer" will have an ME-enabled architecture too.

Using NICs that are not supported by Intel ME is a better approach to isolate the beast than firewalling it, in my humble opinion. Right now I have a lot of hopes on the discovery of the reserve_hap field.

Who?November 26, 2017 9:54 AM

@ r

Agreed, a NIC itself may be another attack vector.

We cannot trust on Intel ME? Then we can try isolating it.
We cannot trust on NICs either? Then go to the typewriter.

Who?November 26, 2017 10:24 AM

@ r

From the Edward Snowden: The Untold Story:

Snowden speculates that the government fears that the documents contain material that’s deeply damaging—secrets the custodians have yet to find. “I think they think there’s a smoking gun in there that would be the death of them all politically,” Snowden says.

There is a undeniably risk the most important documents have not yet been published. Snowden made the childish mistake of sharing the documents with journalists, not security experts. These documents are now in the hands of people that usually have a poor knowledge on computing and computer security; people that usually only understand about political shame, people that do not care about technical facts.

But it is a fact there are more leakers inside the IC. I understand something as big as the existence of hidden WWAN antennae on any computer manufactured on the last decade or ways to get complete access to the computer memory by means of any NIC attached to it should be known right now. My guess is that these documents should be put full-time on the hands of true experts like our host on this blog—people that really understand what is (or not) important from a technical point of view.

My assumption —I know it is just a wild guess— is that there are no hidden antennae or ways to access the memory on a computer by means of a NIC. Something as important should have been leaked at some point in the last years.

rNovember 26, 2017 10:49 AM


I just don't believe it to be a stretch to instead rely on hardcoded ins/outs to move into the area of structure and pattern identification. Network transactions across devices even on the same bus in most cases are going to be aligned on boundaries be reasonably identifiable even from a simple hooks perspective. 802.11 packets and bathed DMA transfers of bulk network activity regardless of pre-existing driver functionality are going to be similar in nature from device to device.

Do either one of us have the source code Intel or anyone else have installed on these chips?

Homogenous has pitfalls, just as the introduction of other non-vetted technologies would. I don't trust for a second that a missing driver behind enemy lines would stop anyone but a skid.


rNovember 26, 2017 10:53 AM

Signature scanning and tunneling/emulation has been around since the 80s, on both sides of the arena.

Clive RobinsonNovember 26, 2017 10:55 AM

@ Rachel,

Thanks for that! And 400 years later the US are still celebrating!

Yes but not in the same way thankfully.

In that respect the corprocracy has changed the meaning. Not unlike what many believe of Coca Cola --supposadly-- turning Santa from Green to Red[1].

Now both thanksgiving and Xmas are accompanied by the ker-ching of cash registers frivolity and fun, kind of a warm up for Black Friday or the January sales...

But the thing that gets me the most is "The President Pardoning a Turkey"... I wonder in just how many years since it started people have ruefuly watched and thought about the irony of the situation?

There are places where politics most certainly should not be, and young childrens, hopes, wishes and aspirations is not one of them.

Hopefully this year more parents were able to share thanksgiving with their families than the past decade and a half, and as many more likewise make it home safe and sound for Xmas, or other Solstice festivals as well. May there be a little more peace and goodwill around the world as we head into 2018.

[1] The change from green to red is still hotly debated in some places (as is the inventor of the Xmas Card). However even Coca Cola have attributed the red suit to the work of Thomas Nast for Harper's Weekly magazine from 1881 some fifty years before Coke had their 1931 campaign.

Who?November 26, 2017 11:01 AM

@ r

But there are other NIC manufacturers. Globally compromising NIC firmware would be a huge operation —ok, PRISM was another huge operation that remain hidden for years— that should be discovered at some point. A lot of NIC manufacturers do not have their roots in the United States either, but can be reached by their local governments.

We are in the age of the whistleblower, big operations targeting all the industry cannot remain covered for long time. At least, it is my hope!

rNovember 26, 2017 11:01 AM

Clive makes valid arguments about the size and space allotted or allowed to your unwanton couriers thoughtspace, something small something discrete and something reasonably handicapped would be preferred over a lamborghini driving your packets and switching your networks.

If you allow ISIS into your home out of the goodwill of your heart you would permit them friends children like-minded wives?

These are inhuman roboticized beneficial constructs, your chance of conversion of silicon to carbon and blood?

Good luck.

rNovember 26, 2017 11:06 AM

I'm not speaking of multiple firmware with firmware specific features, I'm speaking of one with genetic inspecific features and intentional interoperability.

I check my blindspots frequently, you must have access to source that i do not.

rNovember 26, 2017 11:19 AM

Look, do you recall kaspersky's statements as to not being able to identify the origin or methods of the attack that infiltrated their networks surrounding their disclosure of the hdd embedding firmware disclosure?

While that publicized attack was fairly specific to certain device families what i am referring to with this line of reasoning is that if kaspersky, who deals with both personal and improfessional malware on a daily basis and who also likely deploys multiple methods and layers of protection to Blyth it's network and businesses can be caught by unknowns what makes you think that NIC swapping on Irans unconnected USB infiltrated networks hasn't been thought of?

A ring buffer by any other name is?

We now have preregistraion of DMA pools, one doesn't need a PHD to develop a compatible methodology of wait() && C.

Who?November 26, 2017 11:35 AM

@ Clive Robinson

Thanks a lot. I was not aware of the nicssh rootkit.

Obviously there is no easy way to protect against this hardware rootkit even if our Intel ME or UEFI firmware are not reachable. EFI will just execute the Option ROM as soon as the machine is booted, even if the on-board NIC is not reachable. Right now I only own a single machine whose firmware allows Option ROMs to be disabled (a ThinkCentre desktop). Option ROMs had been disabled on this computer for years, but it will not stop this rootkit becoming a huge problem on recent hardware.

JG4November 26, 2017 11:44 AM

@Drone - that made the hair on the back of my neck stand up. try searching "projected intent" in the duckduck window

rNovember 26, 2017 12:01 PM


An early word processor or late typewriter may not be a bad idea considering you might be able to remove the paper portion of the hardware and move to something more enigma esq.

Who?November 26, 2017 12:40 PM

@ r

Early or not, it seems this word processor should not run on a networked device. Ever. In fact, we should not run networking devices at all if their NICs can be compromised by the only reason of "being able to receive packets."

I did knew about the previous versions of the paper Clive cited here (they were written ten years ago). I was not aware this rootkit become real in the last three years.

In case all NICs are vulnerable to a hardware rootkit like nicssh then the war is lost. There is nothing we can do. Why are we caring about firewalls, secure operating systems or even Intel ME removal?

I had "Option ROMs" disabled in my ThinkCentre for years, and "Internal Network Option ROM" disabled on any other device that allows it (at least four additional computers in my network). Most recent ones do not allow this feature being disabled. My ThinkPad T430s allows "Ethernet LAN Option ROM" being disabled when running in non-optimized (i.e. non-UEFI) mode, but this option has been replaced by "UEFI IPv4 (and IPv6) Network Stacks." Not sure both are equivalent to "disabling Option ROMs," at least for the NICs.

albertNovember 26, 2017 1:08 PM

@Wael, Clive, etc.
Not Baby Faced Nelson. But interesting history.
Go back and read my last Squid Blog, then this one....have you made the connection?
Noted, thanks.
. .. . .. --- ....

rNovember 26, 2017 1:17 PM


Your threat model is unencumbered by iterative enumeration, please replace 'networked' with 'switched' and refer to prior MCU commentary both respectively and respectfully.

more on antibiotic problems- fecal transfersNovember 26, 2017 1:21 PM

@Clive Robinson
“As indicated by the study the implanting of doner fecal matter by colonoscopy is both the most effective and least unsettling for the recipient of the transplant. However colonoscopy is it's self not without risk though the figures are improving[4].”

I think crapsules, one or two treatments, might be quite effective, although I don’t have references for journal articles. In addition, of course, oral delivery is less invasive than colonoscopies and oral delivery may take money out of gastroenterologists’ pockets (sort of like you saying big pharma has limited interest in fecal matter transfers).

relatively old, but references diy techniques on youtube (2013)

also 2013


Crapsule vendor in US

Finally searching terms like oral fecal transfer yielded numeous newspaper articles and this

Think twice,or more, before taking optional antibiotics.
In the US, with fee for service, be leery of hospitals pushing antibiotics.
When taking antibiotics, during and after, take probiotics (Many brands; many opinions. VSL#3 comes in otc and DS (double strength) prescription forms)

AlejandroNovember 26, 2017 2:42 PM

None of us understand how deep world-wide electronic mass surveillance has gone.

Researchers recently found thousands of sites record browsing sessions as if spies were there watching you type and swipe. That data in turn is shared, collated, analyzed bought and sold like a product. Users have no idea how bad it is, and that's the way the predators like it.


"In a recent study we analyzed seven “session replay” services and revealed how they exfiltrate sensitive user data. Here we release the data behind our study, specifically, the list of websites from the Alexa top 1 million which embed scripts from analytics providers that offer session recording services. The appearance of a website on this list DOES NOT necessarily mean that session recordings occur, as website developers may choose not enable session recording functionality."

"These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder."

My only suggestion is to be aware of what is going on and resist to the extent you can.

I am a strong advocate of feeding the beast fake data and garbage. It can be a somewhat effective poison.

Who?November 26, 2017 3:06 PM

@ r

Your threat model is unencumbered by iterative enumeration, please replace 'networked' with 'switched' and refer to prior MCU commentary both respectively and respectfully.

Sorry, I think I do not understand your comment. What MCU commentary? Why the difference between networked and switched? Is there a workaround against this technique to inject firmware on a NIC? It is not clear to me from the presentation cited by Clive.

Obviously some sort of "configuration" is required for nicssh being successful. It seems to be using IP addresses instead of MAC addresses, so it seems traffic is somewhat encapsulated until it reaches the NIC (if we are talking about NICs then there should be ethernet datagrams, not IP packets, right?). I am unsure how much support it needs from the operating system, but reading carefully the presentation linked by Clive it is not clear to me that "any NIC is vulnerable."

Sadly, the presentation pointed by Clive does not describe countermeasures. It seems the authors of nicssh have done a lot of improvements since 2007/2008, a nasty surprise as, at that time, all was looking only as a theoretical research without real-world implementation.

Who?November 26, 2017 3:11 PM

Hmm... is it enough if a switch remembers which MAC address is associated with the IP address used by the nicssh tool?

I had been looking but, except for the presentation noted by Clive and a few other presentations from the same team, there is no much information available about this tool and, what is even more important, what can we do to protect our systems against it.

Clive RobinsonNovember 26, 2017 3:54 PM

@ ,

On last weeks squid page I posted a current research article about reprograming newer FPGA NICs to get a very high rate Key-Value system,

It works entirely within the NIC but the code is loaded at start up time via the PCIe bus. They talk about a system with ten FPGA bassed NICs none of which put any real load on the main CPU.

So it's entirely possible to use such an NIC as a spy on the system etc.

hmmNovember 26, 2017 3:59 PM

" Is there a workaround against this technique to inject firmware on a NIC? "

It's vendor chipset firmware specific so you'd have to have a firmware replacement already in place that doesn't accept the magic packet Eth0 firmware update schema.
- Which would break the mass-backdoor updating vendors apparently rely on.

Broadcom was the brand mentioned in the initial presentation. Those are everywhere, others may be next. Got a pfsense box? It could eat those without throwing errors/logs.

My question, once they've got your NIC can you re-flash over it do they lock that up?
If they fully break the NIC's FW updater once infected that would really suck.

Who?November 26, 2017 4:47 PM

@ r, Clive Robinson, hmm

Thank you for helping me understanding these facts. Two points to add:

  1. obviously I have a lot to learn, nothing really surprising here I guess...
  2. the world is crazy, I understand remote firmware upgrade is good for lazy administrators but NICs should be upgraded in a more traditional way using the bus they are connected to instead of magic packets.

    @ hmm

    Hardware vendors should not depend on a backdoor like this one to apply upgrades. In this case it is no ever a NOBUS approach. I agree, breaking the upgrade process would be ugly but it is better to know it happened. I guess they can try using a SPI programmer to flash a good firmware.

    @ Clive

    Sorry, I missed your post. Last Friday I read the new squid entry only. Should look at earlier entries in this blog with more frequency. Reading it now. Thanks!

Clive RobinsonNovember 26, 2017 4:47 PM

@ Who?, r,

My appologies my above about the FPGA NIC KVsystem paper was ment for the attention of you two, and anyone else reading along (somebody contacted me in the middle of typing it up to discuss a plan of action for tomorrow and I lost track).

Any way I had intended to add some other things to think aboit.

Firstly two further points that arise about the programable NICs,

1, It would not be difficult to put a very efficient stack bassed threded language on them. Such as Forth, which has been put on DSP and FPGA chips in the past with little problem and great effect. Those systems easily outperformed the likes of compiled C code, not just in execution speed but also in the minimal usage of memory.

The reason for this is that usually it's way to hard to coerce good Compiled C code that is close to the metal. Due in part to the modern tool chains, and in part to programers not being aware of the issues with calling subs and issues with pointer arithmetic on data types that are not native to the CPU.

2, The next question is of course if you can do this with both NICs and GPUs what other I/O can be got at...

It's one of the reasons I talk about "energy-gapping" as much as I do. A while ago now I had a chat with @Nick P amongst others about using the CPUs on Hard Drives and Flash Memory Drives. We know from some work done by some Russian hackers that well known HDs had SoCs that had atleast three ARM CPU cores in, with attendant unprotected Flash and RAM. Likewise from other Russian's the the likes of memory sticks could relatively easily be changed, not just to report false capacity but also to serve up malware that is hidden except under certain circumstances such as first access on system powerup rather than just being plugged in, and that malware using a variation of a "knock-code" to exfiltrate data in a way that most OS tools and security device scanners would never pick up...

All of which brings me back to my two more recently pressed points about,

A, Using RS232 based Data Diodes with instrumentation to check that only certain file formats get sent across and that they are correctly formatted.

B, Ensuring that the security end point is beyond the communications end point and that you only send data that is encrypted using a secure crypto system.

Such systems design by the way is not new, it's the way the SigInt agencies used to design highly secure systems back in the 80s & 90s before the Politico's got their paid for COTS perversion. Back then it was called Strong segregation via mandated choke points or similar language.

It's only now that components are cheap enough that we can develop / deploy our own systems similar to the old SigInt secure systems way ourselves. By using MCU chips that do not have any of the issues such as that of Intel ME etc, and even if they did it could be designed out relatively easily.

ArclightNovember 26, 2017 8:53 PM

The fact that Intel and AMD are being so pushy about incorporating a remote management feature that is really only needed by large corporate users who manage PCs and devices at scale can tell us something about their long-term strategy.

At some point, these vendors will not be treating end-users as the customer.

Their partners at Microsoft, Apple, Disney, Amazon, etc. will be managing the entire compute ecosystem and thus they are retooling the product line to best meet their needs. Having a non-removable management node ship with every endpoint is a key piece of that strategy.

Ultimately, entertainment and content businesses want to secure veto authority over general-purpose computing. This feature set is a logical foundation to helping achieve that goal.

tyrNovember 26, 2017 9:06 PM

There used to be a story about bacteria in Texas.

It seems some folks there were so narrow minded
that when they cried the tears ran down their

I find it appalling to think that bot bombing the
FCC using stolen names is the way to end Net
neutrality. Apparently technology is not always
your friend.

I'm not sure if Baby Face was involved in the
orphan train scam. American government used to
routinely steal immigrant children from their
parents and send them west on the trains. The
practice was finally stopped when the western
sheriffs rebelled. The crime rate because of
those fostered out had risen to horrid rates.
It was all done under the excuse that it was
for their own good.

Fostering sounds good in theory and has been a
disaster in practice since the blank slate
theory is horridly bogus. The world is full of
truly bad ideas that rarely get examined by
science, since it gets up the nose of social

Pollan has written another good book but his
description of cattle feedlots and their odd
bacterial consequences might put you off the
hamburger. The industrial cow is a really bad
idea and we may see something like the Irish
potato famine on an industrial scale because
of it.

My major complaint against Cipro was the fools
who signed the 'Patriot Act' into law without
reading it while addled on Cipro because of
the Anthrax scare. That disappeared under the
rug without a reasonable conclusion similar
to the Kennedy mess where government is still
playing CYA games.


You might want to look up Squanto, he was one
of the most travelled humans on earth during
the pilgrim days.


You might want to locate a copy of 'First
Contract" by Greg Costikyan. Greg was one
of the SPI gang in the boom days of the
board wargamers. It is a much less technical
tome but well worth your time.

WaelNovember 26, 2017 9:35 PM


Thanks for recommendation. I gather it had to do with my bacteria comment?

I'll add it to my wish list. Have no time till the end of year!

@Clive Robinson,

I'm all ears ;) (about how I phrased or misphrased the above first (or second) sentence.)

hmmNovember 26, 2017 9:52 PM

I don't know if every NIC needs to be an FPGA full of data diodes, that sounds expensive.

All of this is because of unsecured firmware updating. A jumper could solve this silliness.

Or like they did in the 90's, you remove the socketed ROM and replaced it with a new one.
Someone demonstrates a flaw, they print out another $2 chip and mail it to you.

Firmware update over any network interface is just a lazy convenience paradigm.
Make it a separate physical-access interface specific to the purpose, problem solved.

How do we put more pressure on chipset mfg's or vendors to improve?

Roast them publicly. Or very specific and pointed crank calls to their engineers.

hmmNovember 26, 2017 10:19 PM

"The fact that Intel and AMD are being so pushy about incorporating a remote management feature"

We should assume that comes from above the corporate board level.

I think Intel ME just screwed the pooch so badly it's drawing attention to the thing that they've done their very best to deny and hush up for years and years already. Their excuse has been "oh don't worry, we keep it secret so it's safe from abuse" and then people say "bullshit" and they say NOTHING, offer a patch 6 months later or so.

I mean how is it that they let it get out the door with a blank password field giving root TO THE SECRET CHIPSET BACKDOOR?

That's no bug. That's no QA oversight.

Clive RobinsonNovember 27, 2017 3:52 AM

@ Arclight,

Having a non-removable management node ship with every endpoint is a key piece of that strategy.

Which if you or I'd have said that a decade ago or even half a decade ago, would have earned us the epithet "cranks" in most peoples heads. Including most of the readers here.

The idea is slowly seeping into peoples heads, even if some think it's accident not design they are beginning to understand the danger.

As Intel AMD and ARM appear to have no interest in removing these "We own the platform not the purchaser" technologies even more people will start to wake up, but I doubt many consumers will.

The only thing that is known to work is when the "big boys" turn on each other via the law courts.

An example of this is MicroSofts UEFI policy for bulk purchase discounts. MS wanted "no choice", "no freedom" not just on Intel/AMD but ARM as well and that was how it started out.

Then they got the preasure put on them by other big players and many many others, with the promise of seriously damaging litigation if they did. So whilst MS loosened up on Intel/AMD in their bulk purchasing agreement, ARM is still the original "locked up tight" because of the kick they could apply to Google and those implementing Android and similar "walled gardens".

The problem is that for personal use computing ARM is without doubt the way people have gone with Smart phones, pads, tablets, net books and light weight laptops. The use of Intel/AMD is thus declining in that sector, with just businesses pushing their way with laptops, desktops and servers.

Thus it will probably not be long before Microsoft make a serious splot between business and personal computing. Their entry level OS's will stop being "everthing in a bucket" and clear repackaging going on. Thus for arguments sake Entertainment software will get put in the personal OS but be a paid for extra in business and similar will apply the other way. In time about the only thing that will remain working as is on both OS types will be the "suck them in" software like Office. Which will be given away at administrative cost to students etc, to "Bring them up the MS-Way". Which will be not unexpected when you see how Google are pushing "To OWN your Children" via their cloud services given away to schools collages and universities with all sorts of tasty extras. Because for Google it's data that's the key, whilst for MS it was selling applications etc on a never ending upgrade scheme. But now MS want user data as well which with their "telemetry and cloud" being forced down peoples throats should be ringing bells in peoples heads louder than fire alarms, but it's not...

What has changed is a few people are now asking not "how do we stop the juggernaut, but how do we get out of it's way?". The answer is not what they want to here, which is you can not unless you are prepared to radically alter the way you do things...

The first step obviously is to mitigate the Intel/AMD and ARM lock in. The second is to put your security end point beyond the communications end point. Both can be currently done in a number of ways, but the easiest (use older hardware/OSs/Apps) is not going to last much longer...

Thus people who are required to be confidential such as Drs, Lawyers, Clergymen, Engineers and scientists are going to have to change the way they work. Hopefully others will follow suit whilst they still can...

hmmNovember 27, 2017 5:42 AM

" are going to have to change the way they work. "

One time pads (of paper) and sharp #2's.

CallMeLateForSupperNovember 27, 2017 7:55 AM

@Wael Re: Imgur breach
"Business As Usual. But three years?"

Surf to HaveIBeenPwned[dot]com and peruse the thumbnail descriptions the breaches represented there. You will see many that took years to surface.

Breaches themselves are disturbing enough; long periods between breach and disclosure add insult to injury. (Yes, and sometimes piles injury on top of injury.)

WaelNovember 27, 2017 8:28 AM


Looked at it, thanks. Yep it often takes years for the public to find out.

HaveIBeenPwned [...] add insult to injury

Perjury too, in some high profile cases.

Clive RobinsonNovember 27, 2017 8:29 AM

@ hmm,

I don't know if every NIC needs to be an FPGA full of data diodes, that sounds expensive.

It does not. There are cost trade offs for speed, security and most importantly availability.

However for a manufacturer the biggest cost hole in the ground is inventory costs. Frequently they are larger than profit on a single line item. Therefor what you do is make a single board and partial populate under jit, or even provide the identical item with different software (that basically throttles down).

All of this is because of unsecured firmware updating. A jumper could solve this silliness.

The cost of that jumper is actually very high in a production environment, not just in direct line costs but also on availability figures, which are very important on high profit items.

To give you an idea why, availability is often calculated as "Mean time to failure" over "Mean time to repair".

Thus the thirty seconds it takes to install new firmware and often not even hard reboot the system just "hot swap reboot the driver" is a fraction of the time to walk down to a server, do a partial or full shutdown, power down, pull the rack open the case pull the card remove the link, put back the card, boot up into "BIOS" then into maintanence and update the firm ware and test, then do the rest in reverse.

So your mean time to repair is upto an hour or two possibly longer depending on how many people you have working there but that means your availabikity figure is down vy 200-250 times. Then there is the adjustment to the mean time to fail, most cards are only considered good for 10 insertions and removals 50 tops. So each update cycle is going to reduce the mean time to fail by between 1/10 to 1/20... So just the one firmware update with a link can take your Availability figure down by upto one 5000th of what it was...

Server farm operators just would not buy such a card, no arguments. So the link option is out on high end high profit cards. Also because of the added line costs especially reworking costs it's not going to happen on low profit cards. Which means with the inventory issue it's not going to happen on the middle range products either.

That is the first part of the problem.

The second is the reputational damage. Your card gets hacked, you are just one in any number of patches that happen on an almost daily basis, so run of the mill and not very memorable. You make some tech get of his butt and pick up his toolkit and go down into the fridge that a server room is and he will not just curse you he will bare you ill will for a very long time and that will almost certainly effect future purchasing decisions. I for one will argue against the purchase of equipment from a well known US PC manufacture because "they took the Michael a couple of times more than they should have. It gave me great pleasure to pull them of a large contract I had signing ability for and make it abundantly clear why after an expensive lunch the had bought me and one or two others.

It sounds petty but unless you drop millions on these idiots you don't even get the service level you've paid through the nose for. Your arse is the one that gets the flame thrower treatment even if you can show clear documentation as to you voting against the purchase choice unless certain levels of support are purchased. Your arse, not the accountant who chopped out the support cost because that was a smart choice for the end of quater numbers, likewise cut the training budget, and the staffing levels...

That's the name of the game, you end up playing which is one reason high end staff "jump ship" whilst all is going well...

JG4November 27, 2017 8:30 AM

My correspondence with Stuart Russell, who made that brilliant drone video.

I want to be Leo Szilard when I grow up.

---------- Forwarded message ----------
From: Stuart Russell
Date: Mon, Nov 27, 2017
Subject: Re: your brilliant video
To: JG4

Thanks for your note - I think this analysis is basically right.
I would say that, unlike nuclear weapons, these weapons have the
ability to facilitate escalating conflict at all scales.

On Sun, 26 Nov 2017, JG4 wrote:

Dear Sir,

Just a quick note to say Thanks! Leo Szilard would approve of your
work, in my humble opinion. I was very pleased to see your video this
morning, although it did make the hair on the back of my neck stand
up. It was shared on Schneier's security forum. I know that you won't
have time to respond to many of the notes that you will receive in
response to what I hope is a viral video. You might consider a blog
entry to address some of the better comments and ideas that are
emailed to you.

I assume that my comments here will be pedestrian in light of the
decades of research and consideration that have gone before. We can
think of the problem in terms of projected intent, where the capacity
of technology to destroy has outstripped the political skills to
address the underlying problems. Guns have caused a lot of problems,
even though they can only project intent over milliseconds to seconds,
and centimeters to kilometers. Drones have brought about a revolution
in distance and delay of projected intent, reaching thousands of
kilometers and tens of hours. I think of the political dysfunction as
a scaling problem, where people generally can get along well if they
number ten to one hundred individuals, but not by the hundreds of
millions. Putting a finer point on it - political ability scales much
differently than economic power and destructive capacity. Today's
full spectrum dominance will be more widely disseminated tomorrow.

Szilard was one of the early ones to recognize the political
dimensions of nuclear arms. Grinspoon is a planetary scientist who
suggested that every sentient species will face a gauntlet where
political skills are tested against technological capacity for
destruction. You have highlighted very nicely the point that
projected (and misprojected) intent via microprocessor technology also
is very dangerous. Thanks!

Sincerely, JG4

echoNovember 27, 2017 8:31 AM

@Clive Steve Ballmer is on record as saying that the corporate customer was the client and the home user was essentially freeloading and lucky to have access to a Microsoft OS. The strong implication was Microsoft could ditch the home user any time they wanted and were not discounting this option as a future strategy. (Contrast and compare with Bill Gates deliberate strategy of leverging home users and piracy to gain a foothold in the mass corporate environment.)

I'm not sure how Microsoft changing the tilt of their human interface guides and sacking their in-house technical author teams and contunual functional degrading of local online help functionality fits in with this.

Clive RobinsonNovember 27, 2017 8:56 AM

@ hmm,

One time pads (of paper) and sharp #2's.

DON'T forget, one sheet at a time, on a glass surface and an ash tray and matches[1] then pound the ash. Otherwise your Crypto-OpSec will all be for nothing against the HumInt-OpSec fail. Where a black bag opertive comes in and does an esder attack on the other sheets or soft surfaces, or just does a little bin diving...

[1] Another way is a liquidiser with a little cheap spirit alcohol in it. The resulting mush burns fast and hot enough not to smoke that much.

RachelNovember 27, 2017 9:04 AM

It has transpired, the new Uber CEO learnt of the data breach two months before it was announced to the public.

Clive RobinsonNovember 27, 2017 9:15 AM

@ echo,

Steve Ballmer is on record as saying that the corporate customer was the client and the home user was essentially freeloading and lucky to have access to a Microsoft OS.

Steve Ballmer was never the smartest IoT on the block ;-)

I suspect that somebody sat him down abd explained "feeder theory" to him, and then he shut up.

In essence one of the reasons *nix was popular was that students in training for the work place were taught with it. They did not want to work with MicroS4it "Major Fail Ckusterf**k" (MFC) for many reasons.

Google grok this hence their push into education at all levels. Thus they will own the workforce in another five years, whilst MicroSoft will not unless they push back hard now.

It's the market leverage factor you just can not get any other way.

If I was Nicrosoft I would give every child from five years old free access to all their tools untill they left education. Employers woukd have little choice but to buy Microsoft no matter the cost because the cost of re-education would be a lot lot higher. In essence thatcis what "Feeder Theory" is, if you control the supply of the Feedstock into any value added process you own that process lock stock and barrel. It's something the Chinese with their longer term prospectus thinking that know this hence their "one Road" etc policy in many countries to in effect get control of the raw resource feedstock that drives industry. Likewise religion knows this which is why they push hard on mothers and their children, that way they own the next generation of income providers...

albertNovember 27, 2017 12:09 PM

@Clive, hmm, etc.
"...All of this is because of unsecured firmware updating. A jumper could solve this silliness..."

For a home user, it's not too bad. I remember the days when corporate desktops could be opened quite easily. The 362.87kg elephant in the room is the s**t firmware thrown into these products, that -require- firmware updates. This is magnified hundreds of times by the s**t code in modern OSes and browsers.

Face it, there's almost no security in remote s/w or f/w updating. Now we have a system where the laptop has replaced the desktop, and some companies have also eliminated Ethernet cables with wifi.


I won't mention thin-client systems, because the paradigm has shifted to make them useless. They may be useful in the IC, because in theory, no one should be taking classified things home and bringing them back.

. .. . .. --- ....

Sancho_PNovember 27, 2017 6:03 PM

@hmmm, Clive Robinson, re firmware updates and methods

I suggest to finalize your thoughts, because an update is an update.
It does not matter how it is done, unsecured online, signed online, with or without jumper, a programmer or by a new chip, the basic issues will be the same:

You don’t know what is in the package, you have no chance to know,
you have to blindly to trust in what you got.
- The vendor, in it’s best intention, may send a bigger flaw than what you had before.
- You may get a corrupted package and trash your system (OK, with the socketed ROM you may go back, but what if the restored system now fails to boot ...?)
- You may get a hacked update and install it yourself, kissing the ugly frog alive.

You have violated rule no. 1: Never touch a running system.
That’s bad enough in theory: But now all will look at you, YOU did it.

And in practice you may love one part of the update (this is why you did it) but there are other “goodies” the vendor added for your convenience and you can’t opt out.
E.g. some default settings, like which directory you want to back up in the cloud.
Update your Mac, it’s free, but includes a crippled UI for mobile devices and more simplifications.
If you update, are you sure that you can go back? What is sure in IT?
Failure, that is.

I hate updates.
I can’t count how many hours of my life, mostly on weekends, were wasted because of “mandatory updates” from our mothership.


Dirk PraetNovember 27, 2017 6:23 PM

@ Wael, @ Clive, @ Nick P, @ Gerard

I'm still alive. Like @Wael said, I moved to a fancier part of town and took up a new job for a real estate company selling villas and condos at Spanish beaches. Where we also have offices, and which is kinda cool. Both have kept me kinda busy over the last couple of months. Truth be said, I also needed some time off from the blog that too often had become a source of aggravation instead of inspiration.

Rest assured that I'll be back on the block once the usual mess at the new job is well under control. People never hire me for simple stuff, and I usually only get called in when all the suit and tie guys have failed and management is willing to consider alternative approaches by a somewhat, err, uncommon kind of person 8-)

WaelNovember 27, 2017 7:30 PM

@Dirk Praet,

Rest assured that I'll be back on the block.

Great to hear. We'll be waiting.

RachelNovember 27, 2017 10:49 PM


PS this place has been full of sordid rumours about the reasons for your disappearance. Many of which, were true

Clive RobinsonNovember 27, 2017 11:00 PM

@ Dirk Praet, Wael,

Just awoke and found your missive, nice to know you are well, and enjoying life.

Then I read,

People never hire me for simple stuff, and I usually only get called in when all the suit and tie guys have failed and management is willing to consider alternative approaches by a somewhat, err, uncommon kind of person 8-)

In the US they used to say that sort of job "needs a fireman" I've done it a few times myself on the odd occasion. A lot of times I found the trouble was caused by "previous consultants" that had "come from the big four" or similar and sold some crap methodology that even those pushing it did not understand...

It reminded me of the --now-- Lord Sir Alan Sugar story. Basically he had a thriving business but got into trouble because of being quite deliberatly sold dodgy hard drives by a certain well known Company (Seagate set up by Alan Shugart). Sugar pursued them through the courts and eventually won substantial damages. But the damage was done to Sugars image in the business IT sector. He moved into communications but did not initially fare as well as others. Anyway he was put in the position of having to get consultants in...

One day as he walked past a meeting room he saw one of the young consultants giving a verbal working over to a very experienced engineer who looked somewhat perturbed. So Sir Alan went in and heard the consultant espouse some compleate load that was "wasn't woth a pair of fetid dingos kidneys" about fax machines and pagers and how they were not a dead duck... Sir Alan (aka mop-head) saw red and assisted said consultant out the door to be shortly followed by the rest of the pack of hyenas. Which probably gave him deep satisfaction as well as being probably the best decision of the day 0:)

Oh a piece of advice when being "a fireman" don't "do your thing" in a production area whistling along to a tune on the radio. Apparently the workers watching your demo find it disconcerting enough to have a 2m tall suit with toe caps you can see your face in and a red full goatee "devils beard"[1] actually use the tools of the trade as well if not better than they can. But then see not only can you whistle, but smile broadly at the same time to the old Rolling Stone hit "19th Nervous Breakdown", for some reason it doesn't put them at ease, quite the opposit apparently ;-)

[1] Older Turkish immigrants can be a funny lot at times, the following day disks of white glass with blue centers started getting hung up... I guess they did not like my Italian silver grey suit ;-)

hmmNovember 28, 2017 5:58 AM

"some compleate load that was "wasn't woth a pair of fetid dingos kidneys" about fax machines and pagers and how they were not a dead duck"

Wot! Fisticuffs at dawn, you've insulted pagers. Crap, dawn was hours ago.

Alright sleep it off.

JG4November 28, 2017 7:46 AM

@Dirk P - Welcome back

I've said before that there is a scaling problem with trust on the old blue marble of entropy maximization. Bitcoin is one of the many responses. It would be clever if there were a way to piggyback climate modeling on the bitcoin mining and blockchain businesses to mitigate some of the damage. When the bitcoin mining is done on direct solar PV, it will be relatively neutral. I haven't attempted the numbers, but gold is another mechanism of trust that has consumed vast quantities of energy. Gold continues to consumer energy for the guard-labor and shipping, long after the prodigious quantities of diesel and dust have spewed into the air.

Clive RobinsonNovember 28, 2017 1:32 PM

@ Bruce, abd the usual suspects,

A couple for the "facial recognition" file from El Reg,

First up a group has come up with a "face generator" for photographs. Importantly the result is that facial recognition software does not recognise the face, but it's sufficiently close to the actual person that humans can recognise them,

Secondly the London's Met Police are up to their old tricks still with crowd facial recognition trials that apparently never end. I missed it back at the end of august but as they say "some things never change"...

gordoNovember 29, 2017 5:34 AM

An overview of EU and US approaches to (data) privacy law, i.e., "our privacy" and "our data":

The End of Privacy
By Andrew Burt and Dan Geer - Oct. 5, 2017

Among technology companies, the rush to create comprehensive offline profiles of online users is on, driven by the need to monetize online services offered free.

In practice, this means that we can no longer expect a meaningful difference between observability and identifiability — if we can be observed, we can be identified.

[. . .]

The answer is that we must regulate what organizations and governments can actually do with our data. Simply put, the future of our privacy lies in how our data is used, rather than how or when our data may be gathered. Excepting those who opt out of the digital world altogether, controls on data gathering is a lost cause.

This is part of the approach now being taken by European regulators.

[. . .]

This method stands in stark contrast to the way data is protected in the United States, which might best be characterized as a “collect data first, ask questions later” approach.

[. . .]

Many privacy advocates will no doubt find it hard to stomach that the way we think about protecting our data is outdated. But if we are to maintain the ability to assert control over the data we generate, we must also admit that our past ideas of what it means to be “let alone” no longer apply. [transcript]

Clive RobinsonNovember 29, 2017 8:12 AM

@ Gordo,

With regards Dan and Andrews article, and,

United States, which might best be characterized as a “collect data first, ask questions later” approach.

Is being very optimistic about it even for a US centric viewpoint. I with a more realistic view point would have said of the US approach,

    “steal data first, don't answer questions later bribe a congress critter instead, and if that don't work fight it out for ever in court”

It's why the new EU regulations appear so draconian with the high levels of fines and low levels of proof required. And I still think it's to lenient in that some joker in the US will "off shore" the gathering / storing process to some shell within a shell company in a tax haven which has no legal tieups with either the EU or US...

It's abundantly clear that neither the situation or legislation will change in the US as long as US politicians hold their hand out (just as politicos do in many countries).

As others have noted in the past slam the CEO etc of one of the big five in jail for 5-10 and things might change especially if you add compulsory fines of 20% of assumed total earnings and holdings. If they try to hide via various means treat them the same way the US does to those they lable as "terrorists" etc, by sequestration of all available company assets and those of those related to officers of the company and share holders, oh and those held by other US entities including those who run the country[1].

Sometimes you have to play a lot more seriously than "hard ball" to get peoples attention. Or as has been noted before "Raise the pain threshold" to "a little less than lethal".

I would however draw the line at sending in drones and hit teams as Obama and predecessors are know to have not only done but glorified in.

[1] That is anything and everything the USG has used against others and the countries they live in. Kind of what goes around comes around policy.

RachelNovember 29, 2017 11:22 AM


I'd like to express gratitude and affection
for the existence of this blog and the people whom contribute.
Mr Schneier, & Moderator (do you have a name?) thankyou
Clive, you are the Light of the Web. England needs a statue of you.
Wael, Dirk of the Family Praet; Tyr; Nick P and so many more.
Everyone- try not be too paranoid and cynical. don't put crap in your body. Use a standing up desk. Get outside more. And spread love and kindness, as a rule

The hazards of releasing only alpha versions of your operating systemNovember 29, 2017 3:38 PM

This is the sort of feature/bug you'd expect from MS Windows, but it comes to us from Apple, instead:
“When prompted for username and password, type username: root and leave the password empty. Press enter. This might throw an error, but try again immediately with the same username: root and empty password. This should unlock the Lock Icon.”
This would be hilarious if it weren't so sad. At least Apple released a patch in record time, only two weeks after the security hole was broadcast to the general public.
“Imagine a locked door, but if you just keep trying the handle, it says “oh well” and lets you in without a key.”

ClipperNovember 30, 2017 8:21 AM


FB (or FBI?) will use that picture to get the biometric fingerprint of its users and this will be the largest collection of biometric data in the history.

mostly harmfulNovember 30, 2017 8:25 AM

Cannot recall seeing this posted here:

Taking HTTPS Denial to an Absurd Level, by Tom Spring, November 2, 2017 is, to the best of my (vague and superficial) understanding, a franchise that offers some kind of localised, federated, web-presence-in-a-box for local brick-and-mortar retailers. Interesting market niche.

Their web developers cooked up a sort of creative back-of-the-class security theater, as discussed in the above article, and which I am instead tempted to categorise as “security theater theater”.

You may be familiar with a Security Feature™ of popular web browsers, which causes the browser to issue a warning, a sort of Check Engine light, when it encounters any page that both

  • contains a password field, and
  • fails to exhibit that powerful dweomer known as HTTPS.

ShopCity's login pages, though lacking HTTPS, apparently avoided triggering the Check Engine light by using plain-old text-entry forms which

  • accept passwords,
  • echo a series of identical blip-glyphs upon the entry of characters,
  • and grant access,

but which were not dubbed password fields &emdash; that is, they didn't have the “password field bit” set.

Public shaming of the heretic ensued, at which point ShopCity's network administrator publicly repented, and renewed his commitment to Double-Plus-Good-Think: “We are currently transitioning our users to HTTPS and we’ll be 100 percent there by the new year.”

The article above focuses exclusively on the half-baked construction of a security-simulacrum by ShopCity.

An issue not raised is whether the Check Engine light paraded by Firefox/Chrome/Acme web-browsers is a pernicious instance of security theater in its own right, whose harmful effects are of a greater order of magnitude than the bottom-feeding antics of ShopCity.

Hint: One of those harmful effects is to reward, to no user's perceivable benefit, precisely the pre-exposure behavior of ShopCity. (Also: Say the name three times fast.)

Clive RobinsonNovember 30, 2017 10:02 AM

@ The hazards of releasing...,

This is the sort of feature/bug you'd expect from MS Windows, but it comes to us from Apple, instead

Ahhh reminds me of Win95 and even Win ME. Most never saw WinME or it's appaling... Well everything, it was thus as popular as a cape porcupine stuck in a toilet cubicle...

@ Rachel,

Clive, you are the Light of the Web. England needs a statue of you.

You know my ears change colour at the slightest cause... thus to be life like the statue would need bright neon lights on either side to spread the happiness in bright pink. It would thus be a little "70's", a time I had to live through and some how survive (and still have shirts from, in the back of the closset, where they live a life of their own ;-)

@ gordo,

Regardless, the NSA's time-machine downstreaming, to other TLA's, will remain relatively unhindered.

Yup, and the way that can be abused to get other warrants by chaining etc is a nightmare even for mindless zombies with no social contacts...

Clive RobinsonNovember 30, 2017 12:46 PM

Judge in Waymo-v-Uber not happy

A day before jury selection what Uber effectively described as an extortion letter, caused the judge to delay the trial untill February.

And said to Uber's legal team that it looks like they tried to cover it up...

I don'y know about other people but the letter sure does look like the lawyer and the engineer were getting a lot lot more money than you would expect...

Looks like it's time for another bowl of pop corn. At this rate of sitting back and watching the Uber antics both in the US and UK my comfy seat is getting a little lumpy from over use ;-)

Clive RobinsonNovember 30, 2017 1:15 PM

How to end up with Uber via a snack bag

Apparently an Australian engineer has been sacked for puting his work related PDA in the bags you get chip/crisps in, even though his employers knew he was doing it for quite some time and said nothing,

Apparently the mylar bags have a very small amount of aluminium in them, so in theory could be a Faraday Shield, but I personaly would not bet on it in any way shape or form. If eight or nine layers of baking foil wrapped tightly around a mobile phone still let it ring, you can see why I'm skeptical. UK "crisp packets" I've tested certainly don't pass the mobile phone test so, unless theres something special about these Aussie bags, be it upon your own head if you end up working for Uber on minimum -30% wages.

lurkerNovember 30, 2017 4:07 PM

I know it's Cambodia and stuff can get lost in translation, but it struck me odd that a Porn Marketing company should be upset at somebody selling fake squid. Wierd stuff out there...

more on antibiotic problems-fecal transfersNovember 30, 2017 5:22 PM can be a reasonable resource in general.

lactobacillus ggis found in numerous journal articles (Culturelle in this country)
bc-50 (Digestive Advantage inthis country)

some other Docs have recommended Florastor

Andrew Weil has written numerous books, has vitamin recommendation service, knows east and west medicine, and I think he is also a kimchi and sauerkraut fan.

Clive RobinsonDecember 1, 2017 3:02 AM

Coinhive hides behind time

Over the past few months, visitors to certain site types have caught a dose of Coinhive cryptocurancy mining malware.

The mining sofrware has been loaded as either WebASM or Javascript into the open browser window. Which ment it got shutdown with the window.

Now however there is a new wrinkle on MS Windows boxes (and likely others to follow etc) The malware opens a new window which it puts under the clock in the MS task bar where a user will not see it except by chance.

It then loads a copy of the mining malware into this hidden window and it keeps on running even though the other browser windows are shut down.

Nasty but not an unexpected development...

RachelDecember 1, 2017 5:49 AM


Coinbase : MS contributing to the global economy!
Uber : really serious criminal charges? fraud?

It would seem only correct that a National Treasure as yourself be immortalised in a statue.It appears to be equal to the highest of accolades in your country. Upon further reflection it transpired that the collection of statues so far were of really horrible people. Which reminded me of your recent freudian upon 'King Knut' on the Squid.
So, no statue for Clive. What about a Futurama style animatronic Clive dancing around London. In the future we may all experience VR Clive beamed to us personally like the advertisments in Bladerunner

tyrDecember 7, 2017 10:21 PM


You changed your mind just in time.

There are many horrible statue jokes about
modern immortals and the lack of materials
to build them properly.

Clive RobinsonDecember 8, 2017 1:59 AM

@ Rachel, tyr,

So, no statue for Clive. What about a Futurama style animatronic Clive dancing around London.

Are you aware that my genetic ancestors are "Scots" and that since the work of "Sir Walter Scott" --Scot in name only-- certain formal atire is de rigueur?

When young I was taught briefly how to dance over swords without cutting my toes or feet off. But that sort of dancing requires exuberant knee lifting, which in a kilt can be quite revealing... :$

As the old saying goes "Madam, do you wish to frighten children and horses?" :-S

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.