Friday Squid Blogging: New Squid Species Discovered in Australia

A new species of pygmy squid was discovered in Western Australia. It's pretty cute.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 16, 2018 at 4:10 PM • 170 Comments


BobMarch 16, 2018 4:20 PM

Everything about the AMD vulnerability reporting smells like stock market manipulation.

echoMarch 16, 2018 4:37 PM

I wanted to comment on an issue I had views about and couldn't make up my mind if I was obsessing or being a useful idiot. By chance I discovered a new article on "baloney detection".

Watch: Carl Sagan's Rules For The Fine Art of Baloney Detection
Skepticism, Sagan style.
In a new video from BigThink, skeptic and science writer Michael Shermer lays out how each one of us can use Sagan's timeless skepticism to debunk untruths and call out baloney (aka fake news) when we see it.

Nameless CowMarch 16, 2018 5:06 PM

I have a question for the security experts here, if I may.

I received an MMS message on my phone from an apparently forged number. The message is a picture, a begin one, possibly a stock photo. It was not accompanied by any text.

The curious thing is, the sender's number is my number, off by one.

Is this a prank, spam, a scam, or some kind of attack?

I can't imagine how it would work as spam or a scam. If the sender's number is forged as I suspected, returning the message is not going to connect me to the true sender.

If it's a prank, it's not a particularly good one. The sender gets no feedback from the target. Most people will ignore random messages from unknown senders.

That leaves me with the last possibility I can think of - an attempt to exploit known or unknown vulnerabilities in the recipients' devices.

Does anyone know if there are campaigns like that going on? Are there tools or services that can scan a picture and tell you whether it's been crafted to attack vulnerable devices?

Thanks for your insights.

EvilKiruMarch 16, 2018 5:24 PM

@Nameless Cow: It could be a hack attempt using a specially crafted image that can exploit a vulnerability in some image display code and possibly cause arbitrary code execution on some unpatched devices.

Nameless CowMarch 16, 2018 6:12 PM


> It could be a hack attempt using a specially crafted image

Any way to confirm or rule out?

GuestMarch 16, 2018 6:37 PM

CTS Labs opted for the 1-day release because they believed AMD would not be able to fix the flaws within a few months. Trail of Bits researcher Dan Guido says there is no immediate risk of exploitation. Wired writes:

CTS argues that by leaving out any details that might allow other hackers to exploit the bugs and backdoor it discovered, it hasn't endangered anyone with its narrow disclosure window. "We’re not putting anyone at risk," says CTS co-founder Yaron Luk-Zilberman. "We have no plans to put out the full technical details to the public. We’re only sending to companies who are able to produce mitigations."

CTS Labs added in a letter:

I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together.

tptacek at Hacker News (item #16577433) is advancing this paradigm (in the sense Dan Geer gave a talk on) as well: the only reason for partial disclosure is to do a favor for corporations, and what users want is the knowledge that an exploit exists - knowledge they can use by abruptly discontinuing their further use of the product.

Hyper-focus on "how do we treat this flaw" sidesteps the "torch everything on our way out" threat models; if an adversary already has access to your systems, they could have data-bombed at any time. The primary reason they didn't is that your systems were more valuable to them over a period of time, if they kept their presence concealed enough that you never had to go looking for them. If they see internal E-mails to the effect of an upcoming security audit, they will know their time is coming to an end soon, and with no future eavesdropping to hold out for, they can crash and burn your systems. If they think you may install anti-virus in 3 months, they have 3 months to decide whether figuring out how to harden their presence vs your detection is worth it. And if they think you are going to scrap all the vulnerable systems for something else, they may data-bomb you into oblivion before you can decommission those computers.

Users may be able to stop using AMD before anyone can figure out how to weaponize the latest research, but this is not the threat we should be basing industry-standard disclosure theory around. We also have to be mindful of botnets that may be upset enough at the imminent loss of their already-compromised computers to take everyone else down with them.

AMD may not be able to fix the flaws, but a chance to push updates which throw a kill-switch into otherwise-vulnerable machines (preserving data on the hard drives), and instructing affected users how to obtain free replacements of non-vulnerable alternative AMD hardware, would be an option for them then. Even without a fix, they would be able to protect end-users.

Clive RobinsonMarch 16, 2018 7:06 PM

@ Bruce,

A thought for you...

I predicted that the hardware architectute faults in modern CPUs that have given us Specter and Meltdown would be a gift that would keep on giving and so far it has.

I also have a gut feeling that for a while the security focus will move to the computing stack levels below the ISA level.

Perhaps you might consider a few hardware papers every now and then so that readers can get their heads around some of the more bizarre aspects of CPU side effects.

echoMarch 16, 2018 7:14 PM

I didn't understand even half the words in this thing.

The public comment period for the draft Deep Space Interoperability Standards is open starting March 1, 2018.

Environmental Control and Life Support Systems (ECLSS).



The following define the security standards to ensure interoperability for the Command and Telemetry DSG to DSG-Ground links. The actual links & data to be protected, security & key management, etc. will be based on the International Partner agreement on security policies for the Program(s).


Bob Dylan's Nasty SmellMarch 16, 2018 7:22 PM


Sticking exploit code in a photo is a difficult thing to do as there is little headroom; it is not a script kiddy maneuverer. The other reason it is rarely used is that it is easy to detect: open the file in a editor and look for code. All file formats like jpeg and gif are standardized; compare yours with the standard.

I don't know of any automated ways to do it off the top of my head. It simply isn't the type of thing that happens very often for the reasons I just mentioned...which is not to say that it hasn't just happened to you.

MarkMarch 16, 2018 9:09 PM

@Nameless Cow
@Bob Dylan's Nasty Smell

/bin/vi if you into reading image files in vi

FooCrypt, does binary image scanning ( part of the steganography demo ) included in FooCrypt,0.0.1,Core by reading every pixel's RGB value. FooCrypt will eventually perform more than just a steganography demo read and include writing so that any encrypted data can be hidden inside an image.

FooCrypt also does binary reads of any file type, stripping ascii values 32-126 from the file via IWMB. Not hard to see if there is a foreign non image format code embedded inside the image.

A hex dump would be your easiest choice, and then comparing the image to the image formats standard.

MarkMarch 16, 2018 9:15 PM

@Clive Robinson

The majority of my 37 year career in IT has been spent on SPARC, Intel and AMD, have a long way to go in the CPU security architecture space. Both of them are experiencing issues due to their historical 'Need Fo Speed' design choices.

Alice RadulskiMarch 16, 2018 9:29 PM

Mr. Schneier,

I was wondering if you had any comment on XKCD's claim that your actually just two mischievous kids in a big trench coat? As an ardent follower of your work I'm very curious as to what you make of these claims.

"CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat."

Thank You

Clive RobinsonMarch 17, 2018 12:20 AM

@ echo,

Carl Sagan's Rules For The Fine Art of Baloney Detection Skepticism, Sagan style.

I can remember a time when Carl Sagan was more famous than Steven Hawking in the public eye.

Two stars thar burned bright that have gone beyond our horizon, but the knowledge they have left will still burn bright for centuries to come.

Clive RobinsonMarch 17, 2018 12:59 AM

@ Mark,

The majority of my 37 year career in IT has been spent on SPARC, Intel and AMD, have a long way to go in the CPU security architecture space.

"More than a third of a century" in industry. Do you get twinges when you say it? I sure do, it will be fourty years later this year for me :-S Time sneaks up on you like a mugger in a dark alley and whilst "the bit of badger" in my beard has become "distinguished" my mind still thinks I'm a mischievous tweenty something, if not younger. Thus at some point I'm realy going to have to start "Get old disgracefully" just to even the scales ;-)

With regards the "need for speed" Intel's need to market it's self as "the standard to beat" has caused a lot of harm in the industry. Not known to many is that Sun decided not to play that game maintained a cleaner all be it a bit slower architecture.

Thus we know why we "sleepwalked" into this current mess, but still have no clue as to how to extricate our selves gracefully, and with lack of wider effect.

Whilst it won't be an easy ride hopefully it will make people realise there is a price to pay for a "peddle to the metal" ride.

The upside is that the trend in low power usage for longer battery life has got to the point that whilst speed is nice, most of us do not need it. That is for most of us the speed of general computing has gone beyond what we need.

So fingers crossed that for the majority the "need for speed" has already exceaded our real requirements... It's our expectations that may well be the cause of trouble...

MarkMarch 17, 2018 1:37 AM

@Clive R

I only feel old when I see repeated issues from last decade / last century being reported as something no-one knew about by the press, industry and wonder if Im experiencing a time warp. Even worse when you use a search engine to search old news archives and find out your memory is still good, 'yep, that was reported in 1997, docent the media do archival searches before reporting something as NEW'

Am way too cynical due to my age and industry experience's. The old 'Little Chicken' attitude of mainstream media / the so called 'cybersecurity ( worst Job Title I have come across )' [ ICT security / Engineering ], hasn't changed for the 45+ years that computers had networking cards ], running around with zero days....mmm NIST CVE etc has been around for how many decades now ? Someone should put together a LifeTime CVE exposure device for the young people to wear, just like a radiation monitor, when it goes black, you through out all your IT equipment and re platform to a different vendor / OS.

MMU is a whole different ball game to the models that Intel / AMD have locked themselves into.
SPARC has't died, despite Oracles attempts since acquiring Sun. Solaris is still around, although one gets rather annoyed at Oracles roadmap ( sending x86 towards a cliff and then making a hard U turn ).

Threading is better on Solaris / SPARC | x86 for what I do / build / support / etc.

You could say that 9 out of 10 of this list [ ], cheated, and are actually not as fast as they claim to be.

Gunter KönigsmannMarch 17, 2018 4:08 AM

About the AMD thingy: I guess it is stock manipulation. For example the USB vulnerability they have found in Intel Mainboards first, but everyone talks about AMD.

But the thread may be real: Intel's IME and AMD's counterpart and ARM's secure enclave, all the embedded processors or virtual embedded processors realized using virtualization aren't accessible to virus scanners or (if there are no serious flaws in them to security researchers). But they have the power to do wild things using nearly all of the system's ressources => If someone gets write access and hides a backdoor here - the backdoor is nearly un-detectable.

Gunter KönigsmannMarch 17, 2018 4:11 AM

To the experts:

If in Eclipse Ctrl+C and Ctrl+X sometimes get real slow if firefox is open, but all the other things in the system stay fast... ...might this mean that someone tries to read my clipboard? Or am I too paranoid?

And: Do you know if ads typically are allowed JavaScript?

Gunter KönigsmannMarch 17, 2018 4:20 AM

@Nameless Cow: My guess is that no one would go great lengths for forging a MMS without having a good reason. One good reason would be finding a new way to send spam. Another would be targetting the stagefright bugs or similar => the question might not be if someone tried to do mess with your phone but if they succeeded doing so.
As Android tends to be veeery out of date in means of security patches and as the patches are documented I guess for a criminal it would make sense to target devices whose security is years behind the state-of-the-art.

MarkMarch 17, 2018 4:50 AM


It would be poorly written MALWare to be slowing down your system every time your accessing the clipboard. [ ]

Are firefox and eclipse configured to use different versions of Java ?
Is firefox active on any websites ?
Are the security settings in firefox configured to allow java scripts ?
Is it the latest version of firefox ?

Do you have any tools to snoop on your clipboard ?

It's windows ? Is it patched ?

Try splitting your dev / surfing env's up by using VM's

Try clearing cache's, cookies, removing firefox, scanning for malware / virus's / etc, it windows....

Gunter KönigsmannMarch 17, 2018 6:30 AM

@Mark: Good point. But I use a proxy so if someone wants to contact a site in the intranet instead of using a proxy that might cause a timeout.

To the questions: It is windows. My Firefox is configured to not using Java. Also it is the latest 64-Bit and therefore AFAIK doesn't support the Java plug-in at all. But when Firefox is open it normally has 3--4 tabs that show websites. Disabling javascript is quite intrusive on some websites. But if someone is looking at my clipboard it would be a good suspect as I don't install flash.

And I hope I don't own any tool that accesses the clipboard without my knowledge. But as you have said: One never knows...

markMarch 17, 2018 7:47 AM


tcpdump / snoop / wireshark / am not sure what you have access to for a pcap / etc on your NIC(s) ? or even if you have administrator access

KilroyMarch 17, 2018 7:57 AM

"US spy lab hopes to geotag every outdoor photo on social media"

"Imagine if someone could scan every image on Facebook, Twitter, and Instagram, then instantly determine where each was taken....That's precisely the goal of Finder, a research program of the Intelligence Advanced Research Projects Agency (IARPA),..."

Most every smart phone picture has detailed meta data tags including location. It's one of those things tech people kind of know, but forget about it because we have no need for it. But, of course big brother wants to know ...everything...and when they get the technology developed it will be released to the internet surveillance companies so their dossiers can also be enhanced.

Meanwhile, everyday users don't know or care about stuff like this.

I am beginning to think resistance is indeed futile.

MarkMarch 17, 2018 8:17 AM

@ Kilroy

Wont work, anyone can make geotags for anywhere


-geotag TRKFILE Geotag images from specified GPS log
-globalTimeShift SHIFT Shift all formatted date/time values

bttbMarch 17, 2018 8:24 AM

""More than a third of a century" in industry. Do you get twinges when you say it? I sure do, it will be fourty years later this year for me :-S Time sneaks up on you like a mugger in a dark alley and whilst "the bit of badger" in my beard has become "distinguished" my mind still thinks I'm a mischievous tweenty something, if not younger. Thus at some point I'm realy going to have to start "Get old disgracefully" just to even the scales ;-)"

'Age and treachery may overcome youth and vigor' or something like that.

JG4March 17, 2018 8:26 AM

Thanks for the Sagan material on critical thinking. I usually can detect bullshit with good sensitivity, but I have seen things so well-crafted that it took multiple passes. At least one involved purported facts that I couldn't conveniently verify, skillfully woven into whole cloth.

I haven't watched the entirety of this so I can't endorse it. However, it was endorsed to me by a scientist:

5G Technology: Potential Risks To Human Health: Excerpts From Scientific Conference

A day late and a dollar short:
Big Brother is Watching You Watch

Google spends tens of millions on think tanks that back its policies The Times

Clive RobinsonMarch 17, 2018 8:28 AM

@ echo,

Beware the Deepspace draft standards...

I don't know how many avionics / electronics / communications standrads you have seen in your time, but the Health and Safety advice is "Do not print them out unless you have an appropriate dolly"...

Although just "Request for comment drafts" that are usually a shadow of the final documents they are still a danger to life limb and your future happiness. Look at it this way at the very least your boss is not going to be happy when you ask for time off for hernier surgery, because you had to get to the one at the bottom of the pile. Secondly there is also the environmental issue of a missing deciduous forest to make the paper...

But thirdly there is the rumour of "Specification critical mass". It's been suggested that if you put three stacks of such specifications together then they are above critical mass. Which means they draw themselves and anything else around them together and dissapear from sight by forming a nano black hole which has two well known effects.

Firstly the standard you read and carefully marked up has now suffered time dilation so is now out of date, before you started the mark up.

Secondly you get strange feelings of dejavue or ground hog day effects as the orbiting time dilation field flips you back a day or two so the task of marking up again not only feels endless but is...

Then there are the scary stories of the S-space portall into the Standiverse, a place that not only time has forgotton but it has the famous tower of Bable at it's core and as you approach you start speaking in toungues of standardees and get the demeanor of a librarian...

You have been warned ;-)

Clive RobinsonMarch 17, 2018 8:37 AM

@ Alice Radulski,

I was wondering if you had any comment on XKCD's claim that your actually just two mischievous kids in a big trench coat?

WHAT, Oh no, there is two of Bruce, OMG well that explains a lot ;-)

Do we now have to include sibling telepathy to his other list of skills such as standing in for Chuck Norris for stunts and action scenes?

KilroyMarch 17, 2018 9:08 AM


Good tip, I will get the tool. (My old Nikon stores certain tags, not geo, I erase or edit them. Sometimes.)

Yet, besides me and you who else will bother?

I note there is an app for the iPhone to paste a location icon of all your photos on a google map. I suppose the govt. will use that as their starting point.

But, thinking it through, if they have the free app, what else do they need?

MarkMarch 17, 2018 10:14 AM


exiftool has been around for since 2003 or so, anyone who wants their privacy maintained. Websites generally use exiftool or something similar to maintain a users privacy, dating sites, etc

I use it for my photography, and with vCrypt, to strip all metadata and then add a standard copyright statement, filename.

Download a random image from google, Facebook, twitter, etc and you'll find most of the data has been nuked.

echoMarch 17, 2018 10:26 AM


I never quite got the Stephen Hawking love and Carl Sagan missed me completely. There will only ever be one Magnus Pyke! He's my favourite plus he arranged his bookcase in order as one should so top marks for him.

I have heard rumours of avionics manuals.

Progressive, friendly, and enabling systems can help include people within a system which works and for them to be perceived as assets rather than a threat. While we must always be careful I do wonder if this can be forgotten in the race to judge.

Theresa May has used her party conference speech to warn Russia that the UK “will never tolerate a threat to the life of British citizens”, as the crisis around the Salisbury nerve attack deepens.

A Marks & Spencer store that was criticised for driving homeless people away with a high-pitched alarm has helped to launch a new initiative to tackle rough sleeping. [...] The manager of the store, James Mugford, said in a blog post that the call the company had received about the alarm from the Guardian was “one of my most difficult days”. He admitted that “having the alarm wasn’t right”. [...] M&S has got other organisations involved including Next, Debenhams, Metro Bank, the Salvation Army and the Refugee and Migrant Forum of Essex and London(Ramfel) charity to launch an initiative called #RedbridgeTogether.[...] “I think it’s brilliant. One of my worst fears when I was sleeping rough was that someone would come and kill me while I slept. That’s why we all slept in a group behind M&S – to try to stay safe.”

echoMarch 17, 2018 11:26 AM

An American business proves once again that without UK style laws to protect privacy they treat your data as their data. (Yes I know the UK government espeically are snoopers who treat citizens data as "their" property but at least there is enough legal leverage to make your local politicians life hell on earth until their improve their view.)

Everyone their cat and their dog knows what clothes I buy already. I'm not at all interested in what a clothes cleaning company wants to pass on so "brands and retailers can sell into my closet". My tastes are eclectic and my needs change and I would like at least one space in my own home which is mine. I also don't appreciate a delivery being dumped on the doorstep and a photograph "proving" delivery after the fact when some items are essentially irreplaceable.

There's a bit of a trojan horse strategy developing too. If you are a Rinse or Cleanly or 2ULaundry customer, you have given these companies permission to enter your home. What else can they offer? Rinse and Cleanly are collecting tons of data about what their customers buy and wear--both photograph all dry-cleaned items. Craig, Rinse's VC and adviser, suggests the company could "have the largest collection of data in consumer wardrobes"--so "we could help brands and retailers sell into your closet."


Cleaned clothing is delivered by Rinse's partners to its operations center, where it's logged and sorted. Valets then deliver those clothes according to the Rinse algorithm's route, in the same two-hour evening window as the pickup, and log each delivery in their smartphones. Valets can also leave the bags on doorsteps, in garages, or elsewhere, and take a photo of the dropped bag before departing.

albertMarch 17, 2018 12:10 PM

Resistance isn't futile, just stop using "social" media. It's a good start.
. .. . .. --- ....

Clive RobinsonMarch 17, 2018 12:19 PM

@ Mark,

Even worse when you use a search engine to search old news archives and find out your memory is still good, 'yep, that was reported in 1997,

Yes, it's always amazed me at just howfast people forget, when there is no incentive to remember...

As for Oracle, every which way they turn does not appear good for them, or their customers...

Sun did make good hardware and it used good technology from others where required.

For some reason still unknown they chose to go down the IAx86 route and things started going down hill rapidly...

Things could turn around but Oracle's track record is not that good of recent times... So breath holding is not the best of ideas ;-)

albertMarch 17, 2018 12:21 PM


SCIENCE AF STAFF: "... Is this some Russian fake news site or is it The New York Times? ..."

Michael Schermer (from video): "... Is this some fake news alternative site thing or is it The Wall Street Journal or The New York Times? ..."

Regardless of my opinion of Schermer (he certainly doesn't demonstrate critical thinking), I definitely won't bother with again.

. .. . .. --- ....

echoMarch 17, 2018 1:10 PM


I have no idea who Michael Shermer is. seems mostly boring or irrelevent to me and I have no plans to pay much attention to it.

I will say I quit watching a video by Neil deGrasse Tyson who "scientifically" critiques movies for "bad science". Movies are a story and sometimes need to compress concepts or time to carry a story. It's a cheap laugh but so is kicking the cane from under a disabled person. Cult of personality celebrity scientists who put themselves in the way of the material don't interest me at all.

Speaking of social media here is quick video discussing hierarchial power and social media and why dictatorships are paranoid. The focus then shifts to the pros and cons of hierarchial power, and discusses change and civic society. A small element of the talk alludes to control of the flow of information and survellience.

The feats and failures of hierarchical power: Stalin, Xi Jinping, Macbeth

albertMarch 17, 2018 1:48 PM


I intended no critique of you, or your posting of the link. I have followed Sagan for years, and I don't necessarily agree with him on everything.

I was simply pointing out the editorializing by "scienceaf staff".

Upon inspection, I found that scienceaf admits to bias and editorializing, and AFAIK, their staff is anonymous (which should a red flag).

Taking Schermers words and changing them is -not- editorializing. It's a cheap shot at implying something that Schermer didn't say.

This is BS and I'm calling them out on it.

Tyson is a rock-star scientist, and as such, isn't going to talk about leading/bleeding edge theories, or anything that crosses the party line. His show is entertaining, but mostly because of his guests.

. .. . .. --- ....

Apple OSX Firmware QuestionMarch 17, 2018 3:59 PM

For MacIntosh users.

For a forgotten MacIntosh strong firmware password, Apple's genius bar used to, and may still, help reset firmware passwords.

Since I mainly run OS X on this computer and linux guests, etc., using VirtualBox, it seems that I could wait to reset the firmware password until necessary, rather than as a preventative measure. Does that make sense?

Clive RobinsonMarch 17, 2018 4:24 PM

@ Mark,

how many milliseconds does it take to brute force your password?

That is a "how long is a piece of string question"...

In theory all you would need to do is work out the password space size Ps then work out the length of time to generate a password and test it Pt then... Divide Ps by the number of processors Cn then multiply the result by the gen&tst time,

Time = Pt * (Ps/Cn)

But that would be well shy of the real value as you would need all the other code to keep things running in an orderly way to consider.

The thing is you might be better off using a guided TRNG to hit the password space. That is rather than start at all zeros and clunk your way through every value, use random input to one or more directing algorithms. Be it simple like "only words in lower case" through to something way more complex but still within the range of normal human memorablity. Thus the six word "thecatsatonthemat" rather than the random "jecysnirdjewoefba".

There is however a flip side. The memorable password/phrase space if computed by a large series of algorithms could end up giving a considerable number of repeats, thus actually take longer than the simple brut force check.

“a great day for Democracy”March 17, 2018 5:06 PM

"... The disclosure Saturday came hours after Trump called McCabe’s firing by Attorney General Jeff Sessions “a great day for Democracy” and asserted without elaboration that McCabe knew “all about the lies and corruption going on at the highest levels off the FBI!” In the last year, Trump has repeatedly condemned as emblematic of an FBI that he insists is biased against his administration.

That sent former CIA Director John Brennan, an outspoken Trump critic, into a Twitter tizzy: “When the full extent of your venality, moral turpitude, and political corruption becomes known, you will take your rightful place as a disgraced demagogue in the dustbin of history. You may scapegoat Andy McCabe, but you will not destroy America...America will triumph over you.”..."

echoMarch 17, 2018 6:18 PM


You beat me to it ismar while I was washing makeup brushes!

This is a notable article on the development of technologies used by Cambridge Analytica, and personalities and agendas. What catches my eye and what I disagree with aren't the focus of this article.

I believe there is some truth in this other article I read about a lot of contemporary crisis being instigated and fueled by too much testosterone in the room. This kind of action isn't limited to men though although the strategies used my women tend to be asymmetrical.

The crisis in modern masculinity.
Luridly retro ideas of what it means to be a man have caused a dangerous rush of testosterone around the world – from Modi’s Hindu supremacism to Trump’s nuclear brinkmanship.

Sancho_PMarch 17, 2018 6:31 PM

@ Clive Robinson, Mark

”how many milliseconds does it take to brute force your password?”

I think the question is invalid because the context is unknown.
First we have to answer a very basic question:

How do we know the given password is correct?

I mean, it is obvious if the requested process tells you “user/pwd wrong, try again”.
But if the process returns data / function (e.g. text or an valid account),
how would we know we got the “right” password?

But as long as our machines are simpler than The Turk you may try calculate a time.

D-503March 17, 2018 6:32 PM

@Apple OSX Firmware Question
I'd suggest getting this dealt with ASAP. Hopefully an authorized Apple dealer can help you with this.
Apple's Support pages are amusing, in a way: When translated into plain English, their standard advice for any problem is "Toss your $3000 device in the landfill, and and buy a new, less-functional version from us for roughly the same price."
A forgotten Apple firmware password is not a good place to be. The reason being, several indispensible startup keys become inaccessible if you've set a firmware password and have forgotten it:

It's a lesson in the importance of backing up any data you can't afford to lose.

MarkMarch 17, 2018 6:46 PM

@Clive Robinson

Sun had an x86 port of Solaris going back to 2.5.1 which had a decent commercial footprint. I've actually run x86 on my laptop's from 2.6 in the late 1990's to still today ( about 20 plus years now ).
The biggest screwup thet Oracle did, was to literally steal all the community based work performed under OpenSolaris, tell everyone they were dropping x86, and gave business no other choice but to move to another OS whilst they bummed around deciding who and who not to cut from the acquisition.

I got lazy, and just divided Possible Combinations by the number of Flops ( Flops=125436000000000000 : )

Password Characters Possible Combinations Total Seconds
1 96 2 9216 3 884736 4 84934656 5 8153726976 6 782757789696 7 75144747810816 8 7213895789838336 9 692533995824480256 10 6.64832635991501046e+19 530.017408073839285
11 6.38239330551841004e+21 50881.6711750885714
12 6.12709757329767364e+23 4884640.43280850285

echoMarch 17, 2018 6:47 PM

Europe may be getting a new surveillance aircraft. This may help mitigate the Boeing monopoly and the Nimrod disaster.

Saab’s GlobalEye swing-role surveillance aircraft goes airborne

LONDON — Saab’s GlobalEye swing-role surveillance aircraft got airborne for the first time March 14. The Swedish company says it remains on schedule to deliver an order from the United Arab Emirates for three jets.

The aircraft, a modified Bombardier Global 6000, flew from Saab’s Linkoping airfield for a 1 hour and 46 minute flight to begin checking out the handling and flight performance of the jet.

For the moment the aircraft is only fitted out with flight test instrumentation. The sensors that give the GlobalEye its swing role surveillance capability will be integrated later.

More background on Jane's.
Saab is pitching its GlobalEye airborne early warning and control (AEW&C) platform as a possible future successor to the Boeing E-3A Airborne Warning and Control System (AWACS) currently fielded by NATO.

Much earlier comment on business jet and unmanned platforms, the issues of monopoly, and broad interest for developing the technology base.

MarkMarch 17, 2018 8:23 PM

@ Sancho_P

No username, Password is on a symmetrical encrypted file.

Cypher engine may or may not return a > 0 error code on failed password or generate some stdout error text.

mime typing the file prior / post for comparison of data structure changes, along with binary differential testing of file contents.

Time is exponential based on a possible 96 english keyboard characters per character position in the password string which has a length based on your standard length of password divided by the number of cycles required by a CPU to perform the loop, distributed across a finite number of cores ( TFlops ).

AlanS March 17, 2018 9:53 PM

Guardian's latest Cambridge Analytica story: ‘I created Steve Bannon’s psychological warfare tool’: meet the data war whistleblower.

Tamsin Shaw, a philosophy professor at New York University, and the author of a recent New York Review of Books article on cyberwar and the Silicon Valley economy, told me that she’d pointed to the possibility of private contractors obtaining cyberweapons that had at least been in part funded by US defence. She calls Wylie’s disclosures “wild” and points out that “the whole Facebook project” has only been allowed to become as vast and powerful as it has because of the US national security establishment. “It’s a form of very deep but soft power that’s been seen as an asset for the US. Russia has been so explicit about this, paying for the ads in roubles and so on. It’s making this point, isn’t it? That Silicon Valley is a US national security asset that they’ve turned on itself.” Or, more simply: blowback.

RachelMarch 17, 2018 10:27 PM

Courtesy of Naked Capitalism:
begin quote

And from a London-based reader:

And one thing which is unbelievably anechoic. I’m actually in Salisbury today (part of a regular variant on my commute when I have to head west, the station is a large rail hub) and it’s less then 10 miles from where I live. So I know the area like the back of my hand. No-one, and I mean no-one has ever asked in the MSM just what the guy was doing living here. It’s about as unlikely a spot for anyone to end up living here as it’s possible to get. You get a few retirees, but very little influx from out the area.

But Salisbury is the epicentre for the U.K. military operations. There are at least half a dozen key installations of strategic importance... [list of places] ...and that’s just off the top of my head, there’s a lot more you drive past which are military facilities but not on the same scale as these.

He had no reason to live in the city and it is an unbelievable coincidence that it is so close to so many of the U.K. military high command’s sites. He was almost certainly here for a reason, and if I had to work in the area of helping the U.K. military/industrial complex, Salisbury is exactly where I’d live. No-one has mentioned in the press coverage how he supported himself, what he did in England since the spy swap and why he was swapped in the first place.

The whole thing absolutely stinks.

Another observation from our reader who knows Salisbury (he sent this yesterday right after his initial comment but I somehow missed it):

If anyone had wanted him dead, they could have simply knifed him in the city centre on a Friday night. It would have gone completely unnoticed

in all the other crimes. The place is one of those typically genteel English towns (it’s only a city because its a cathedral city) where everything is peaceful and quiet in the sticks, the local hotheads get boozed up and let off steam in the pub quarter in the city centre. I wouldn’t go there after dark unless I had to and was with a group.

end quote

And some light relief:

The Onion: Facebook announces plan to combat fake news stories by making them actually

tyrMarch 17, 2018 11:05 PM


Shermer is a bicycle jock who claims to
be a skeptic. You can see him on YTube
Mixed Mental Arts podcast with some
comic character as an interviewer.

I heard a rumour that Google was the
source of rus meddling using it's new
and shiny AIs, supposedly an internal

With apologies to Clive, I can't wait
to see the English launch an amphibious
assault on Crimea with BoJo in the lead
waving his rusty saber.

I think it was Wells who said that an
appeal for funds for survivors of the
charge of the light brigade managed to
collect 24 pounds.

Clive RobinsonMarch 18, 2018 1:16 AM

@ Kilroy,

"Imagine if someone could scan every image on Facebook, Twitter, and Instagram, then instantly determine where each was taken...."

I don't have to, I did a design for exactly the same technological purpose back in 1995 for a major UK news gathering service.

The company was at the forefront of going fully digital to speed up delivery. One major point they had identified was the old take, gather, develop, print, view, edit and review of film footage.

They had come up with the then revolutionary idea of having a massive hard disk farm that a news crew would simply upload their footage, notes and other stuff to.

In an experiment what they discovered was that although it eliminated gather,develop and print phase of analog film it made worse parts of the edit, review and production phase.

It was mentioned as a problem to a group of post grads as a major issue. Being somewhat younger and brassier than I am these days I pointed out it should not be an issue. When asked why I pointed out that a combined GPS, magnatometer, inclinometer, and lens selection and range information should when put into a searchable database give all that was required to remove the bottle neck.

A prototype showed that it did indeed remove the bottle neck but they wanted more. Thus a GIS DB was added. Thus a single image frame would give information that would flip back to the time and place, which would automatically pullup all the other footage as well as providing a map/diagram of camera positions and their sight lines in a couple of seconds as well as later alowing everything to be time synced together.

Thus I can easily imagine what doing the exact same thing but using the Internet as the hard disk farm we would now call the cloud.

It was thinking about that a little later that finally made me realise that technology was not just agnostic to use, it could also destroy privacy and be used to search down and destroy conflicting evidence when the state is "doing propaganda with an airbrush". Much beloved by the Russians and other dictatorships, who realise that just rewriting history is not enough, you also have to destroy the past that conflicts with your new narative...

MarkMarch 18, 2018 6:09 AM


I see your memory of 20 years ago is quite good without searching news groups...;)

The stupidity of Australian Politicians reached a new low a couple of weeks ago whilst I was corresponding with the Assistant Minister for Science, Jobs and Inovation regarding AISEF / EPL / ASD evaluation and listing.

Hopefully the shadow minister is able to confirm that the 4000 year old Science of Cryptology, is a Science.

RatioMarch 18, 2018 7:02 AM

The Metropolitan Police Service (UK): What is hate crime?

If someone commits a criminal offence and the victim, or anyone else, believes it was motivated by prejudice or hate, we class this as a ‘hate crime’. It means the offender can be charged for the crime itself and also their reasons for doing it.

If someone does something that isn’t a criminal offence but the victim, or anyone else, believes it was motivated by prejudice or hate, we would class this as a ‘hate incident’. Though what the perpetrator has done may not be against the law, their reasons for doing it are. This means it may be possible to charge them with an offence.

(Emphasis mine.)

I forget, what’s this called again?

Clive RobinsonMarch 18, 2018 7:14 AM

@ Bruce and the usual suspects,

This is a "must read" level paper when it comes to attribution,

Of note would be the recomendations to avoid having your coding style categorised. Because in reality they are not practical for most "passionate programers"[1].

I can see ways to make this analysis method not just less effective but also as a filter for false flag activities where you want to take existing code and make additions as though they were added by the original programmer. That is not to disimilar in concept to writing malware code to get past AV checking.

The logical end game of this type of stylistic attribution is like that of ECM to ECCM to... That is the number of "counter" measures just go up and the cost of each is a significant multiple of the preceading one.

[1] Getting a "passionate programer" tag to your name is not the brightest mindset to be in even at the outset of your career. Mostly as it easily translates in other peoples minds to "works for low pay" or has a compliant or "doormat" personality. But it also denotes a level of immaturity to be ruthlessly exploited as people are starting to find. One form of such exploitation is to get you to be the scapegoat in all sorts of ways.

echoMarch 18, 2018 8:06 AM


This is why not just content but history and context matter. In my experience corrupt official try to create a favorable paper trail and any action which falls within their beaurocratic influence is manipulated to barge past history and context when the content is challenged.


You haven't been the victim of discrimination or instititional discrimination? These kinds of hate incidents can be very foggy and difficult to pin down because they often work on many levels. I'm happy to share all the information I have some of which I would like to believe is career ending for some individuals or at the very least cause a substantial change of mind but Bruce's blog is probably not the place to share this.

I have previously said that the number of avoidable deaths in the UK over a decade is equivalent to a major war. Discrimination kills and ruins lives not to mention defrauds many many citizens out of their sometimes life saving entitlement.

RatioMarch 18, 2018 8:38 AM


You haven't been the victim of discrimination or instititional discrimination?

(Insitutional) discrimination isn’t against the law?

Please read this paragraph carefully:

If someone does something that isn’t a criminal offence but the victim, or anyone else, believes it was motivated by prejudice or hate, we would class this as a ‘hate incident’. Though what the perpetrator has done may not be against the law, their reasons for doing it are. This means it may be possible to charge them with an offence.

I’m pretty sure some guy thought up a word to describe this type of thing…

echoMarch 18, 2018 9:17 AM


This Metropolitan Police policy is similar in shape to US libel case law. The issue is one of intent to cause harm because of discriminatory reasons.

Proving this kind of case is difficult outside the careful discipline of a court room when you are actually in the situation and have no power in reality to affect the outcome. It's difficult to describe this kind of expeirnce but not unlike malpractice in public office and domestic abuse and, itself, can give rise to a harassment complaint, or psychiatric assault (in the UK "emotional damage"). While a singal incident may not itself meet the threshold of criminal (or even civil) prosecution a pattern of similar below the radar incidents can meet this threshold. Within UK law anecdotal (or "hearsay" evidence can be submitted in both criminal and civil cases, and under equality law due to the practical difficulties of bringing cases circumstantial evidence can be used. With regard to equality law there is also the issue of integrity of the law and also the appearance of complying without actually complying which may illuminate negligience and discrimination.

While a lot of protected categories suffer from this kind of discrimation I suspect this law may also be used against neo-fascists who are known to follow a strategy of appearing to act within the law and embed themselves in state and other instititions and who form direct and indirect symapthetic networks to further a bigger neo-fascist agenda. This has been reported on previously (I don't have a link available offhand) and alluded to by Steve Bannon's reported comments in the article exposing Cambridge Analytica.
In 1964, however, the court issued an opinion in New York Times Co. v. Sullivan, 376 U.S. 254 (1964) dramatically changing the nature of libel law in the United States. In that case, the court determined that public officials could win a suit for libel only if they could demonstrate "actual malice" on the part of reporters or publishers. In that case, "actual malice" was defined as "knowledge that the information was false" or that it was published "with reckless disregard of whether it was false or not". This decision was later extended to cover "public figures", although the standard is still considerably lower in the case of private individuals.

JG4March 18, 2018 9:30 AM

Thanks for the helpful discussion. Nice parallel between The Saker's point about provoking Russia and Hoover's quote about sticking pins in rattlesnakes.
How Did Private Property Start? Jacobin (Chuck L)
Big Brother IS Watching You Watch

The Cambridge Analytica Files ‘I created Steve Bannon’s psychological warfare tool’: meet the data war whistleblower Guardian

How Trump Consultants Exploited the Facebook Data of Millions NYT

Senate Judiciary Dem calls on Zuckerberg to testify before committee The Hill
New Cold War

Hold my beer and watch this! Vineyard of the Saker (Chuck L)

Russia claims foreign hackers are trying to interfere with its election Business Insider
...[any unsafe management creates an opportunity for bad people to do bad things]
Towers with Grenfell-style cladding ‘at risk of arson and terrorism’ Guardian

echoMarch 18, 2018 11:09 AM

My belief is the police are using the threat of terrorism as an excuse to soften the public up for armed police (which has been floated before). The police have many failings such as looking the other way when crime involves important people abusing their position and discrimination, not to mention police bullying and knowing ignoring the law or misinforming the public about the law to cover up their own inadequacy.

I have a covertly taken video which I recorded myself of a metting I arranged where a UK police officer blatantly made a racist comment and blamed black people for problems while his colleague sitting next to him not only said nothing but then menaced me into giving up a complaint against polcie station staff who I had covertly recorded bullying me out of making a complaint against a state official.

Why would anyone trust UK police with more agressive power?

On a seperate occasion I was also punched in my own home by a sexist UK police officer while a colleague standing right next to me looked the other way.

The same police force also switch their body cameras on and off to record a distressed citizen and hide their own aggression. I know because I saw the lights go on and off when they did it.

Yes, I am prepeared and ready to testify if any lawful prosecuting authority wishes to follow this to its ultimate conclusion. (Hah hah.)

All police officers on routine patrol should be allowed to carry Taser stun guns, the country’s chief firearms officer has said.

Simon Chesterman, the armed policing lead for the National Police Chiefs’ Council (NPCC), indicated he supported a wider rollout of the weapon amid fears of a growing threat to frontline officers.

The possibility of expanding the pool of staff eligible for Taser training was first mooted last year as police leaders launched a review to examine what further measures may be needed to ensure staff could protect themselves and the public when faced with armed terrorists.

AlanSMarch 18, 2018 12:03 PM

On CA, Facebook, data mining and exploitation, this passage from a recent book review in the Guardian seems highly relevant:

What he won’t countenance, but which theorists such as Max Weber, Hannah Arendt and Zygmunt Bauman pondered at length, is the notion that modern science lacks any ethical logic of its own. Could it not be that “progress” is both liberating and threatening? That rationality is dangerous precisely because of how hugely it expands human power? Even the most pessimistic social theorists of the last 150 years were not against enlightenment, so much as the machinery that it made available to less enlightened political forces, including capital.

echoMarch 18, 2018 12:18 PM

I caught an article on reputation and also another on "fake memos". I have personally been on the receiving end of beaurocrats where other unpromted people mentioned concerns, and also notes of meetings being written up when I was safely out of the room to question them.

I daresay this kind of thing isn't new. In fact I have been advised by a manager of one organisation to document everything justin case. Memowars whereby beaurocrats create an email trail during discussions to "prove" agreement to actions or create a history even where no evidence this history exists happen too from reading other people's experiences.

I personally find these kinds of articles troubling. From my point of view they undermine the role of evidence, and fact and science.

Say goodbye to the information age: it’s all about reputation now
There is an underappreciated paradox of knowledge that plays a pivotal role in our advanced hyper-connected liberal democracies: the greater the amount of information that circulates, the more we rely on so-called reputational devices to evaluate it. What makes this paradoxical is that the vastly increased access to information and knowledge we have today does not empower us or make us more cognitively autonomous. Rather, it renders us more dependent on other people’s judgments and evaluations of the information with which we are faced.

Donald Trump went on the offensive against fired FBI deputy director Andrew McCabe on Sunday, responding to reports McCabe kept memos of his conversations with Trump – and has turned them over to special counsel Robert Mueller – by claiming McCabe never took notes in meetings with the president.

carrotsMarch 18, 2018 1:11 PM

@Mark, all

Regarding FooCrypt

By DEFAULT, FooCrypt establishes a password strength with 4.18640577277337772e+1016 Possible Combinations

The discourse is all wrong. I would take the project a million times more seriously were it to say "FooCrypt is a nice app that creates 256-bit passwords" I don't want to figure out bit-strength from base 10 pwd space.

After doing that anyway, seeing that it's 3377 bits, I feel it's absolutely stupid considering OpenSSL cipher suite has no symmetric cipher over 256 bits. The largest key size in symmetric ciphers is 1024 bits (Threefish), so it is just silly.

using any data as a source to create a FooKey

One does not need to invent terminology. It's as simple as "FooCrypt hashes input data to form a password" What does it use for hashing?

50 layers of encryption

With PBKDF one usually talks about rounds.

50 cycles ( layers ) of encryption is the DEFAULT configuration which contains 25650 total characters, 24250 random / binary sourced characters @ 512 characters per cycle, protected by MD5 Checksums, which is encrypted in a single cycle ( layer ) of encryption by DEFAULT.


I don't know even where to start dissecting this pile of techno babble and snake oil. It's incoherent and unprofessional. I'd say it's an elaborate joke, but it looks like way too much effort to be one.

Sancho_PMarch 18, 2018 2:06 PM

@Ratio, re MPS “… believes it was motivated by prejudice or hate …”

”I forget, what’s this called again?”

Isn’t it called our future?

Clive RobinsonMarch 18, 2018 2:45 PM

@ Ratio,

I forget, what’s this called again?

It goes by lots of names. Put in the London East End vernacular it's "fitting up".

It's not new though. I was talking about the Salem Witch trials that were supposadly "the rock against which theocracy shattered" in the US. I mentioned that it was also the begining of a certain type of legal process that is very evident today.

If you look at the Salem Trials most of those who were either hanged or died in prison had been accused by their neighbours with whom they had what we would now call civil dispute. The evidence presented against them was in many cases,

1, I am cursed.
2, The Devil came to me in my mind as my neighbour.
3, The Devil could only do this if my neighbour had consorted willingly with the Devil.
4, Therefore my neighbour must be a witch.

There was a variation on this theme of,

1, As I fought the Devil in my mind, my body convulsed.
2, It stopped when my neighbour touched me.
3, This could only happen if they were the one who cursed me.
4, Therefor my neighbour is a witch.

And several others, in each case it was the accuser who was believed because the witness had sworn on the good book it was so, even though what the accuser was saying was compleate nonsense.

Also as seen a quater of a millennium later in the US Anti-American trials salacious witnesses got fame from their testimony... Thus to maintain the spotlight on them they just kept on accusing people of being witches. Which is what a number of teenage girls did at the Salem trials.

The little evidence that was real not imagined amounted to little or nothing of possession, as the symptoms of some of the "cursings" have been seen in many cultures where rye forms a part of the staple diet. The weather in 1691 as far as we can tell would have given rise to the potential for ergoto fungus to grow in the seeds of the rye crop. The ergot fungus produces toxins that can have LSD like symptoms along with things like gangrene and is known as "ergotism",

Parallels in modern western legal systems where the accuser is the sole provider of evidence against the accused and there is no testable evidence involved are on the rise. Which is very convenient for the authorities needing to get improved conviction rates to show the politicos are tough on crime as well as very profitably fill private prisons who give them campaign funds and the like...

Clive RobinsonMarch 18, 2018 3:06 PM

@ Alan S,

With regards CA, there is much clearer evidence they interfeared in UK politics and UK voting in exactly the way various US entities have accused the Russians. Also there is the tie in with Peter Thiel and his organisations. Both of which I've mentioned here before.

Speaking of Peter Thiel and his very dubious company Plantair have certain "thought crime" products used by US LE Entities. Some of which now realise are Plantairs products are actually highly toxic. Thus they are now dropping Plantair... Not before time.

The myths of "Big Data" and the acceptability of the AI "to mine it" are begining to become obvious to those who have purse strings to mind. Thus as the legal bretherin are waking up to the fact there is big money to be made on shooting such AI down the purse string holders are getting twitchy.

Whilst this will not entirely kill of Big Data and the AI involved it should kill of the speculative bubble and thus the snake oil products it has encouraged.

Barbara (not my real name)March 18, 2018 6:17 PM

Schneier is blocking most Tor exit nodes. I have to keep selecting "new tor circuit for this site" over and over again in order to see this web site. I realize Tor isn't perfect, but it's the best we've got. Please allow even the small amount of anonymity it affords...

MarkMarch 18, 2018 7:15 PM

@ carrots

am confused by your interpretation of the documentation.

Classifying something as snake oil and technobabble as you have difficulty in understanding the concepts is a juvenile retort.

Do you own a copy of FooCrypt ?

PBKDF ? DK = PBKDF2(PRF, Password, Salt, c, dkLen) am unsure why you are even referencing RSA terminology

4.18640577277337772e+1016 Possible Combinations

Brute forcing the key / password ? 96*96...... results in combinations.

So if FooCrypt, uses a cypher engine with ThreeFish as the cypher, and utilises 50 cycles of encryption, with the password max'ed to 1024 characters, whats the brute strength by default ?

echoMarch 18, 2018 9:20 PM

Following on from earlier links in this topic about the Metropolitan Police policy on hate crimes Border Force has refused entry to a neo-fascist (a.k.a. Nazi in pinstripes).

To some degree this helps prove that policy can lead society and galvanise organisational culture change.

“Border Force has the power to refuse entry to an individual if it is considered that his or her presence in the UK is not conducive to the public good,” said a spokesperson.


“Far from being denied a chance to air their views, as they often like to falsely claim, these extremists have abused freedom of speech and social media platforms to spread and push toxic views which, as Britain’s most senior anti-terror police officer has warned, are akin to how jihadi hate preachers like Anjem Choudary pushed their vile beliefs in the past.

“These extremists are two sides of the same coin and need each other – which we, the ordinary Britons, do not.

carrotsMarch 18, 2018 9:46 PM


No I do not own a copy of FooCrypt. The documentation is enough to deter one from buying Foo-products, like the 10 million dollar iPhone containing "banned crypto".

"Classifying something as snake oil and technobabble as you have difficulty in understanding the concepts is a juvenile retort."

You ignored all the critisism regarding non-standard terminology, and instead attack. PBKDF is a generic term like KDF, I just added PB to be more specific. It's hard to understand documentation that isn't written with the industry standard terminology. So your documentation unfortunately fills the definition of Technobabble:

-- a form of jargon that consists of buzzwords, esoteric language, specialized technical terms, or technical slang that is impossible to understand for the listener. (Wikipedia)

See also, Schneier on Snake Oil - Warning Sign #1: Pseudo-mathematical gobbledygook:

The point here is that, like medicine, cryptography is a science. It has a body of knowledge, and researchers are constantly improving that body of knowledge: designing new security methods, breaking existing security methods, building theoretical foundations, etc. Someone who obviously does not speak the language of cryptography is not conversant with the literature, and is much less likely to have invented something good.

Why is the license proprietary? How do you expect us to review your system is secure if you don't share how it works. Kerckhoffs's principle and all.

"So if FooCrypt, uses a cypher engine with ThreeFish as the cypher, and utilises 50 cycles of encryption, with the password max'ed to 1024 characters, whats the brute strength by default ?"

You're actually encrypting data 50 times? Why? What's wrong with single-pass?

Not understanding that 1024 characters is not the same as 1024 bits is enough to show you have absolutely no idea what you're talking about. Schneier on Snake Oil - Warning Sign #4: Extreme cluelessness.

What is this? You're providing authentication

1. for individual files (instead of zip-archive)
2. with MD5 hashes (instead of SHA256)
3. on a non-TLS site (instead of using TLS by let's encrypt)

Again, extreme cluelessness.

Why do you advertise

FooCrypt, A Tale Of Cynical Cyclical Encryption takes away the 'BAD GUYS'. Gives YOU total peace of mind over the SECURITY/PRIVACY of YOUR DATA Whether it is sitting in situ on a MEDIA DEVICE or in TRANSIT

yet you offer an insane amount of crappy OpenSSL cipher configurations from broken ones like RC2 and DES, to a bunch of should-probably-have-been-buried-already algorithms, not to even mention dangerous choices like AES256-ECB. One should't sell guns that come with a load of custom barrels, some of which are weak, some broken, and some point to the shooter's foot, don't you agree? Again, extreme cluelessness.

"A FooKey consisting of 25600 characters spread across 50 lines which contains 50 carriage returns."

Do you understand how e.g. /dev/urandom CSPRNG works? That the internal state size never exceeds 512 bits. The source of entropy is based on single algorithm (chacha20) which is enough. Not even the entire entropy pool of kernel CSPRNG contains more than 4096 bits. Extracting 25600 bytes from 4096 bits has at most 4096 bits of entropy.

FooKey doesn't seem to use multiple ciphers, so basically you're just increasing rounds of single cipher and doing custom key-scheduling. This is pointless because e.g. AES256 rounds are conservative enough. Even though it's not as good as e.g. Serpent was at the time, nobody, and I mean nobody, is going to bother attacking it. Like Bruce says, there are two kinds of crypto, one that your kid sister can't break and one that major governments can't break. The latter is called Advanced, Persistent Threat. The word Persistent might as well say Patient. Compared to the cost of CT-only attack, every other attack imaginable is cheaper, and often they take time.

Schneier on Snake Oil - Warning Sign #5: Ridiculous key lengths.

Regarding FooKeyBoard
With a regular keyboard, users choose weak passwords. With an on-screen-keyboard, users choose insanely weak passwords. You take for granted the user is not infected with screenlogger (free) but offer protection against hardware key logger (expensive). You ignore the fact the password has a fraction of bit-strength compared to the oversize keys, and ignore use of slow hash functions like scrypt.

"/FooCrypt/Internal [ Uses FooCrypt's internal random data generator as the source of random data ]"

This RNG sounds like a horrible home-brew crypto. Where is the white paper and semantic proofs of security? Until provided: Schneier on Snake Oil - Warning Sign #3: Proprietary cryptography.

"No One To Date Has Been Able To By Pass Or Break Into A File Encrypted With The FooKey Method."

To date there has been zero peer-reviews / audits of FooKey. No-one should assume it's secure, especially when nobody's able to review code or understand the proprietary algorithms. Schneier on Snake Oil - Warning Sign #9: Cracking contests.

@All: Using this snake oil can get you killed.

ThothMarch 19, 2018 12:13 AM


Not sure if you realize the silence on that topic by most of the seasoned posters :) ?

Clive RobinsonMarch 19, 2018 12:15 AM

Did,the Intercept and NYT make it up?

If you think back a little you may remember a story about the NSA using it's Twitter account to send messages to a Russian who claimed to have access to all sorts od secrets, including the infamous "Trump Pee Tape"... That mucked up the negotiations for a "buy back" of the NSA hacking tools?

Well Gizmodo ran a piece on it,

Which got updated back in Feb but nobody realy picked up on. The update was,

    Update, February 12, 2018, 1:30pm: The NSA finally got back to us about this story and emphatically denies that it ever sent coded messages via its public Twitter account.

So not the usuall "can not deny or confirm" line, an apparant flat out denial, would this be a first for the NSA? Were the Intercept and NYT articles bogus / fake news?

Well, think back further the NSA "has a way with words" that is they ascribe a meaning that others woukd not and thus it would appear to deceive by it...

The NSA flat denial may well be another helping of Orwelian "New Speak". Think about,

    [The NSA] emphatically denies that it ever sent coded messages via its public Twitter account

The whole truth or falshood rests on the definition of the word "coded". Unfortunatly for the writer of the Gizmodo article update, they probably do not realise that what was sent was not actually by definition a "coded" message.

What the NSA alledgadly did was "notify" the Russian in advance that a message would be sent so that the Russian would get confidence that negotiations were still in progress.

Notifing somebody in advance that a message will be sent is not actually sending a coded message wia the other medium (ie the twitter account). All it is is "advanced notification" of what is a banal PR statment that had probably been aproved by the NSA Press office weeks or months in advance. Therefore the actual message was not a code at all but a null[1] or "padding".

The reason people should realise this is that the One Time Message or Phrase system is often used to waste peoples time. If you look at numbers stations they just send out what appears to be gibberish. However some think the gibberish contains coded instructions. Thus if your enemy devotes resources to checking your numbers station for coded messages and they do not find any, they have used resources that might have been better deployed doing other things. So if you have an enemy getting them to waste their expensive resources on your cheap fake message system would be seen by many as a win... But the thing is such a system can also be a "double bluff" that is you have the system up and running waiting for an emergency, till that time you send out null messages as pading "to keep the channel open". The enemy has no way to know if their failure to find anything is due to limits on theor abilities or not...

So it is actually possible the NSA, the Intercept and NYT were all telling the trurh...


carrotsMarch 19, 2018 12:47 AM


I realize why nobody is bothering to reply to it. However, dissecting and burning such creations can be both entertaining and educational for the readers. Snake oil is a whack-a-mole game and while it's getting old, I felt it was my turn.

MarkMarch 19, 2018 1:46 AM


'FUD' [,_uncertainty_and_doubt ] by a juvenile with a juvenile retort to death threats.

"FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under export control by the Australian Department of Defence Defence Export Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology as per the ‘Wassenaar Arrangement’

tyrMarch 19, 2018 3:42 AM

Another book recommendation.

Work, Consumerism and the
New Poor

Zygmunt Bauman

This work tends to wrap up a lot of things
that make people uneasy in modern society.
Parallel construction in LE, usage of the
massive data to frame parts of society as
'waste persons' or deviants from some norm.

You can see what he is talking about quite
easily in the way homeless are swept off
the streets to serve a dual purpose a) to
make the rest of us afraid of them b) to
reinforce their invisibility.

Since automation and down-sizing creates
more people like this everyday (with none
guaranteed we won't be next) all of the
previous safety nets are being eroded as
being wastes of taxpayer moneys.

The ridiculous ideas that some sort of a
moral high ground is occupied by either
side of the right/left divide pales in
comparison to the actions by both to turn
some selected group of humans into the
unworthy of being helped. Blaming it on
the ones who are desparate is not solving
any problems.

MarkMarch 19, 2018 3:49 AM

@Clive Robinson
Every intelligence gathering organisation utilises Cyphers & Steganography, hard to imagine anyone actually believes the response cited from the NSA.

ASD who oversight cryptology here in Australia and work in conjunction with our allies [ NSA, GCHQ, etc ], are quite public on their statement.

'Australian Signals Directorate
Reveal Their Secrets – Protect Our Own'

[ ]

MarkMarch 19, 2018 8:44 AM

@Moderator @Bruce

Please explain why you are allowing participants in your blog, to utilise your service to publicly convey death threats.

VinnyGMarch 19, 2018 8:52 AM

@Mark, @Clive re: "time in service" & deja vu
I know what you mean. I retired a couple of years back after 38 years in IT. When I started, I was using quite obsolete tech, so the overall effect might even exceed the year count. My "formal training" was limited to a 3 semester tech school course in COBOL using IBM System 3. Used 80 & 96 cc "unit record" tech. Spent much of my career in the IBM midrange world developing in RPG variants & OCL/SSP. Eventually I picked up PC tech as well. Finally moved to InfoSec about 12 years before retirement (thanks in part to attending a presentation by Bruce S sometime in late 90's.) Nothing very fancy in my career, few exotic assignments, most pretty pedestrian. But I was infected with the "insatiable curiosity" bug and always tried to stretch my knowledge as far beyond my duties as I could. I spent a lot of time during my last few working years responding to younger colleagues' claims of some "new, revolutionary" development with, "Yeah, we used to call that xxxxx" :)

MarkMarch 19, 2018 9:01 AM

@Moderator @Bruce

Justifications and control requirements were clearly outlined in the email correspondence to

@All: Using this snake oil can get you killed.

MarkMarch 19, 2018 9:08 AM

@ VinnyG

Terminology changes based on identical concepts from 20 or 30 years ago seems to be a trend started from the Cloud boom, just to give bureau and time share processing a new lease on life as hypervisors became more stable.

ModeratorMarch 19, 2018 9:35 AM

@Mark, "@All: Using this snake oil can get you killed" is a vague, albeit dramatic, statement of opinion about a product, not a "death threat" against its developer.

MrCMarch 19, 2018 9:37 AM

@ Mark, All,

Seriously? It's pretty damn clear to me that carrots meant that using snakeoil crypto products in a secrecy-critical situation can get one killed when the snakeoil crypto fails to protect your secrecy. E.g., you're using snakeoil crypto for planning dissident meetings in a country with a repressive regime who breaks the snakeoil product, learns your secrets, and sends a death squad for you. It takes something bordering on willful misinterpretation to reach the conclusion that carrots was threatening to kill people for using snakeoil crypto products.

MarkMarch 19, 2018 9:45 AM

@Moderator @Bruce @MrC

carrots framed an argument based on FUD, and clear made a death threat against ALL current and future users of FooCrypt, A Tale Of Cynical Cyclical Encryption.

Up to you dude, if you remove it or not, its already being followed up as per the Defence Reporting requirements on controlled exports covering cryptology here in Australia.

Take down / shut down, your choice.

RatioMarch 19, 2018 9:53 AM


The issue is one of intent to cause harm because of discriminatory reasons.

No, it isn’t.

Here’s that same paragraph, but edited to address the reader directly:

If [you do] something that isn’t a criminal offence but the victim, or anyone else, believes it was motivated by prejudice or hate, we would class this as a ‘hate incident’. Though what [you, the perpetrator, have] done may not be against the law, [your] reasons for doing it are. This means it may be possible to charge [you] with an offence.

Please read those three sentences carefully. What is really being said?

carrotsMarch 19, 2018 10:08 AM


You are clearly unable to understand the difference between a death threat and me warning that people in dangerous positions who rely on cryptography with their lives, say a Russian journalist, a future FSB whistleblower etc. who are looking for safe crypto from the west are in mortal danger when they use crypto created by amateurs. The fact you're unable to answer the criticism and instead attack a straw man speaks for itself. Accusing me of making threats sounds like an attempt to get the valid criticism removed.

Your argument for FUD is invalid, as all my arguments e.g. on AES-ECB are based on facts.

The aim of Wassenaar, a legally non-binding agreement (as opposed to a legally binding treaties) is to "prevent the acquisition of listed items by terrorists." You're under non-enforceable "export control"? Cool. Making such formal statements do not make an impression here. To me it sounds like you're arguing the application is secure based on the fact it's regulated. This is illogical.

Wassenaar is also completely unrelated to anything in the posts above, so it clearly looks like you're derailing the conversation. Please answer the original concerns. I will keep reminding you of them after every evasive reply.

Why are you not using terms by crypto community? (e.g. why are you calling hardened symmetric crypto "quantum encryption" when it's a completely different thing. )
Why are keys ridiculously over-sized?
Why is the license proprietary?
Why use multiple passes with same cipher?
What's with the incompetent file hashing?
Why provide support for insecure cipher configurations?
Where is the documentation for the home-brew FooCrypt/internal RNG? Is it peer-reviewed?
Why do you claim unaudited, proprietary software is safe to use?

@All: Avoid, avoid, avoid.

MarkMarch 19, 2018 10:11 AM

@Moderator @Bruce

Is the moderator posts the hired help or you Bruce ?

its 8:11am in LA, your hosting service opens at 9.

RatioMarch 19, 2018 10:15 AM


Isn’t it called our future?

Not mine, muchas gracias.

@Clive Robinson,

Put in the London East End vernacular it's "fitting up".

Isn’t “fitting up” the same as “framing”? That’s not what this is about.

It's not new though. I was talking about the Salem Witch trials [...]

It was an atrocious idea then, and it’s an atrocious idea now.

MarkMarch 19, 2018 10:25 AM


1. are your motivations for you and I to foster a conversation, done by your own free will and not by the influence of a foreign government, organisation, group, or criminal elements ?

2. do you have a criminal record or associations with people involved in criminal activity ?

3. The matter has been referred to the appropriate USA and Australian Authorities.

carrotsMarch 19, 2018 10:45 AM


1. Yes. 2. No. 3. Ok. Please stop avoiding the concerns expressed over FooCrypt and address them.

Why are you not using terminology used by the crypto community?
Why are the keys ridiculously over-sized?
Why is the license proprietary?
Why use multiple passes with same cipher?
What's with the incompetent file hashing?
Why provide support for insecure cipher configurations?
Where is the documentation for the home-brew FooCrypt/internal RNG? Is it peer-reviewed?
Why do you claim unaudited, proprietary software is safe to use?

echoMarch 19, 2018 11:53 AM


I wrote up my opinion on legal issues and gave a later real world current example of action being taken against a neo-fascist hiding behind otherwise legal activities. (The same action might also apply to state sector employees who abuse their position with respect to citizens rights.) I'm not sure what else I can say other than seek your own professional opinion or wait for court judgments.

RatioMarch 19, 2018 2:33 PM


I wrote up my opinion on legal issues and gave a later real world current example of action being taken against a neo-fascist hiding behind otherwise legal activities.

Let’s see:

  • This Metropolitan Police policy is similar in shape to US libel case law. How is this similarity in shape relevant? An actual, relevant parallel would be this: if you make completely legal statements, but someone (anyone) believes your statements to be motivated by prejudice or hate, that would be a ‘hate incident’ and it may be possible to charge you. Except, this is nothing like US defamation law as it exists in the real world.
  • The issue is one of intent to cause harm because of discriminatory reasons. No, it is not. Actually read what it says, and use those critical thinking skills.
  • [...] Border Force has refused entry to a neo-fascist (a.k.a. Nazi in pinstripes). Not the issue at hand: this person didn’t get a chance to do anything (legal or illegal).

Did I miss anything?

I'm not sure what else I can say other than seek your own professional opinion or wait for court judgments.

You could answer the question I asked at the end of my previous comment: what do you think those three sentence mean? What do they describe? (Hint: neologism, 12 letters.)

Clive RobinsonMarch 19, 2018 2:40 PM

@ VinnyG, Mark,

I spent a lot of time during my last few working years responding to younger colleagues' claims of some "new, revolutionary" development with, "Yeah, we used to call that xxxxx" :)

Yes I know that feeling, but I don't want to make them "my last few working years" if I can just get people to "learn a little history"... Oh and two other things I plan to work till I drop because we give up something when you are having fun, and I also intend to live for ever... I'll let you know how it works out ;-)

Clive RobinsonMarch 19, 2018 3:33 PM

@ Ratio,

Isn’t “fitting up” the same as “framing”?

It deppends on who you ask, but "Framing" or "Putting in the frame" is generally considered to be something done after a crime has been committed and usually by the Police.

Fitting up on the otherhand is derived from "making a suit" that is before or during the crime, and is usually done by another criminal or person with malintent.

It was an atrocious idea then, and it’s an atrocious idea now.

Yes it was and it is, more and more legislation in the UK is reversing what we would call the "justice of presumed innocence". With the burden of proof moving from the prosecution to the defendent. Thus there is a very clearvand quite drastic "inequality of arms". It's the sort of thing "Show Trials" rely upon.

In the UK the criminal justice system is in very dire straights due to financial cut backs that became swingeing under the current UK Prime Minister when she was Home Office minister. So much so a member of the legal brethren has written an anonymous author book about it, which has certainly caused more than ruffled feathers in the current political classes.

Clive RobinsonMarch 19, 2018 3:41 PM

@ Winston Smith,

This is dangerous... And there will be more coming in the years ahead:

It's already several steps ahead of that in the UK with the Met Police not just getting cell phone location data but also meta and content data on SMS's and the likes of twitter and Co traffic looking for related photos / searches" etc. They are also doibg it with "travel card" information. Which in the case of many is the modern form of an identy card as far as the police are concerned...

VinnyGMarch 19, 2018 4:07 PM

Ah, good on ya if it's still fun :) I spent my entire career believing that I could accomplish "good things" (it sure wasn't primarily the money, which was "OK" but only just that) if I could just get beyond that next looming wall of bureacracy (corporate or governmental.) Quite a let down to finally realize that there was an apparently infinite series of those walls. In short, I tired of swimming against the current and opted for the nearest placid pool.

Winston SmithMarch 19, 2018 4:23 PM

@ Clive Robinson,

So this is a travel card?...

China sees your "travel card" and raises you a "social credit":

I didn't realize that the UK police are legally getting content data(the implication in your phrasing being, "at will, on demand"). We're witnessing evolution from apathy to Panopticon to Statolatry right before our eyes without anywhere to run, prisoners of our own devices (literally, figuratively).

bttbMarch 19, 2018 4:35 PM

"60 Minutes" in the News

a) “CBS tentatively sets March 25 for airing ‘60 Minutes’ interview with Stormy Daniels

For a week, the world has waited: When would “60 Minutes” air its interview with porn star Stormy Daniels alleging an affair with President Trump? CBS has been silent. Now there is a planned date, March 25, according to two people familiar with the timing.”

f) “The CBS Interview With Saudi Arabia’s Mohammed bin Salman Was a Crime Against Journalism
“Launched on CBS in 1968, “60 Minutes” has been described as “one of the most esteemed news magazines on American television” and has won more Emmy awards than any other primetime U.S. TV show. It claims to offer “hard-hitting investigative reports, interviews, feature segments and profiles of people in the news.”
Got that? Award-winning. “Esteemed.” “Hard-hitting.”
So why did the segment on MBS resemble more of an infomercial for the Saudi regime than a serious or hard-hitting interview? “His reforms inside Saudi Arabia have been revolutionary,” intoned correspondent Norah O’Donnell prior to the start of her exclusive sit-down with the crown prince in Riyadh. “He is emancipating women, introducing music and cinema, and cracking down on corruption.”
Move over Tom Friedman and David Ignatius — in O’Donnell, the Saudis seem to have found a new cheerleader within the U.S. press corps. Forget the Saudi bombardment and siege of Yemen, described by United Nations agencies as “the worst humanitarian crisis in the world,” which received a mere two minutes of coverage over the course of a 30-minute segment. Forget the horrific Saudi record of beheadings and stonings, which received zero coverage from the “60 Minutes” team in Riyadh. Instead, we were treated to O’Donnell oohing and aahing over the crown prince’s youthfulness, workaholism, and — lest we forget — support for women drivers.
The interview itself consisted of one softball question after another. (Example: “What’s been the big challenge?” Another example: “What did you learn from your father?”)
So, in a spirit of constructive criticism, and in an attempt to try and push back against the U.S. media’s bizarre love affair with MBS ahead of his D.C. visit …
Here are 10 much tougher, more relevant questions that “60 Minutes“ could and should have asked
1) You helped launch the war in Yemen in 2015 and continue to accuse Houthi rebels of causing all the violence and suffering there, yet the United Nations has blamed airstrikes by the Saudi-led coalition for the majority of Yemeni civilian deaths while Amnesty International has documented “34 air strikes … by the Saudi Arabia-led coalition that appear to have violated international humanitarian law” including “attacks that appear to have deliberately targeted civilians and civilian objects such as hospitals, schools, markets and mosques.” How do you square “reform” at home with war crimes abroad?”
“4) You have compared Ayatollah Khamenei, Iran’s unelected and self-styled “supreme leader,” to Adolf Hitler, but what about your own autocratic style of rule? You have cracked down on dissent by rounding up clerics, intellectuals, and activists and have detained and allegedly tortured your fellow princes — is it any wonder that the prominent Saudi journalist and former adviser to the royal family, Jamal Khashoggi, has compared you to Vladimir Putin and called you Saudi Arabia’s very own “supreme leader”?
5) You say these princes had to be arrested as part of an anti-corruption drive, but how are Saudi citizens supposed to know whether or not you’re corrupt, too? After all, you’re the prince who spotted a Russian-owned luxury yacht while on holiday in the south of France and then bought it on the spot for $550 million — where did that money come from?
6) Shouldn’t you also be wary of invoking Hitler given Saudi Arabia’s history of brazen anti-Semitism? In fact, as part of your “reform” efforts, would you be willing to apologize for the Saudi-based Arab Radio and Television Network’s production of a TV series based on the notorious “Protocols of the Elders of Zion”; or for the imam of the Grand Mosque in Mecca calling Jews “rats of the world” and “the scum of the earth”;  or for your own father, King Salman, attributing the 9/11 attacks to a Mossad “plot”?
7) You have suggested in this interview that Iran is working with Al Qaeda. Yet Bob Graham, the former chair of the Senate Intelligence Committee, has said that 28 declassified pages of the 2002 Congressional Joint Inquiry suggest “a strong linkage between [the 9/11] terrorists and the Kingdom of Saudi Arabia, Saudi charities, and other Saudi stakeholders.” Isn’t it time the government of Saudi Arabia admitted to its extensive and long-standing role in funding, arming, and inciting “jihadi” terrorism?…”

“… Since that article, Weiss has predictably written multiple banal columns for the Times denouncing what she perceives as growing left-wing intolerance for dissent in general, but particularly on college campuses. I’ve watched as Weiss has become celebrated in right-wing circles as some sort of paragon of free expression and academic freedom, and mourned by centrists as the tragic victim of online PC mob silencing campaigns (imagine being a columnist and editor at the New York Times — with full access to the most influential media platform in the world — and seeing yourself as the victim of silencing and censorship), even though her entire career is grounded in precisely the viewpoint suppression, vilification, and censorship campaigns she now depicts herself as loathing.
All of this finally came to a head last night after Weiss published yet another column complaining that she and her ideological comrades are unfairly criticized by left-wing authoritarians who try to silence them by associating them with “fascism.” Weiss’s column was so replete with humiliating factual errors, shoddy argumentation, and glaring holes in reasoning that she ended up trending on Twitter, and her editors had to delete an entire paragraph from her column and then add an editor’s note explaining that she had cited evidence that was an obvious hoax.
In the course of the controversy, Weiss, in a tweet-essay that began here, finally addressed her own history of trying to ruin the careers of Arab and Muslim scholars for the crime of criticizing Israel. Unfortunately, she did so by falsely denying what she actually did, making demonstrably untrue claims about the controversies in which she was involved, and, worst of all, outright ignoring the most egregious example of her viewpoint-suppression campaigns:
I want to address a baseless accusation being peddled by @ggreenwald and others on this platform. When I was an undergraduate student at Columbia, I advocated for the rights of students to express their viewpoints in the classroom.
— Bari Weiss (@bariweiss) March 8, 2018 …”

Finally, if you want to go down rabbit holes try the last ten or so threads, including comments, at .

carrotsMarch 19, 2018 7:20 PM


One thing I want to add that really bothers me. You said

DK = PBKDF2(PRF, Password, Salt, c, dkLen) am unsure why you are even referencing RSA terminology

I was wondering why you mention RSA. Then I realized. When one has no idea PBKDF means generic "password based key derivation function" and types "PBKDF" into Google, and clicks on the wikipedia article, they end up in

that says the exact same thing. Now there are plenty of sites where that exact string also appears. But then, you say

am unsure why you are even referencing RSA terminology

I couldn't find other sites that contain that string and "RSA". Correct me if I'm wrong, but it looks like you picked RSA from the first sentence of the Wikipedia article:

PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series

So the reason you wrote "am unsure why you are even referencing RSA terminology" was
a) you did not know PBKDF(2) is part of RSA Lab terminology
b) you did not know PBKDF is not part of RSA algorithm terminology and did not bother to notice the sentence was about the lab
c) you had no idea what you were saying, you where just techno babbling: copy pasting, trying to sound professional, but you ended up contradicting reality (see a) and b))

My conjecture is b) because that would explain why you parsed together RSA with PBKDF in the first place. Had you linked RSA to PBKDF through PKCS #5, you would have not wondered why I was using "RSA terminology".

So my conclusion is this: Not only are you not clueless, you're at the same time aware of it and actively attempting to hide it. It's fine to do fact checking and even copy-pasting the PBKDF pseudo-code without source. But hastely copy pasting something from Wikipedia to avoid being caught is ethically wrong. You are willfully ignorant about the possible consequences of the snake oil products you produce, and based on your attempts to fake knowledge and silence critique, you have lost all credibility in my eyes for good.

A Nice Human BeingMarch 19, 2018 7:38 PM

@ carrots

Please do not apologise for wasting the moderators time. You have made a stellar contribution. I really appreciate your detailed exposition; the way you reference the Schneier Laws of Crypto to support your points; your careful questioning; and just your insight about the context of RSA. And the way you wouldn't let up. Each response you gave taught me something new.
There are tons of people reading who would have wondered about the product being 'advertised' here and sought to try it. (not that it was being advertised, it was simply being shared. I think it was perfectly acceptable for Mark to share news of his program here and elucidate as he did.)
That is to say, there are plenty of beginners, intermediate and advanced level readers here whom happen not to specialise in crypto and would not have appreciated the level of insight you have now made possible. They may have taken Foocrypt at face value.

@ Thoth

Understood about the deafening silence of the regular contributors, as you pointed out.
Yet, as one whom recognises your brilliance - am disappointed neither yourself and the other [brilliant] usual suspects chose to withold comment - for the reasons given above, I feel it would have been more appropriate to respond to Foo Crypt in the manner @carrots has. By not responding, people that don't know better - don't know any better

@ Mark

You said it yourself - you are a professional.
So, please don't fold up and/or take any of this personally. The discourse that has occurred here is, at an absolute bare minimum, precisely the sort of interrogation and investigation one should expect a security product to be exposed to. You've learnt something. Congratulations! Now you can move forward. Most don't get the former or the latter
opportunity (learning something, and moving forward) Grab this gift and keep growing

A Nice Human BeingMarch 19, 2018 7:45 PM

Historically - and the regulars occasional joke about it - when some new product or code comes on the scene,claiming high infosec potentials,especially something Bruce Schneier has posted about. Assuredly, the Schneier Comments section will be extremely scathing and tear strips off it! It's essential, valuable, and entertaining in an educational way. Occasionally the creators of said product will even counter respond in the comments, to the great benefit of all concerned.

Such a dynamic not happening is the exception.

bttbMarch 19, 2018 8:29 PM

Alex Stamos, formerly CISO at Yahoo!, is leaving Facebook.

"Facebook Executive Planning to Leave Company Amid Disinformation Backlash

As Facebook grapples with a backlash over its role in spreading disinformation, an internal dispute over how to handle the threat and the public outcry is resulting in the departure of a senior executive.

The impending exit of that executive — Alex Stamos, Facebook’s chief information security officer — reflects heightened leadership tension at the top of the social network. Much of the internal disagreement is rooted in how much Facebook should publicly share about how nation states misused the platform and debate over organizational changes in the run-up to the 2018 midterm elections, according to current and former employees briefed on the matter.

Mr. Stamos, who plans to leave Facebook by August, had advocated more disclosure around Russian interference of the platform and some restructuring to better address the issues, but was met with resistance by colleagues, said the current and former employees. In December, Mr. Stamos’s day-to-day responsibilities were reassigned to others, they said.

Mr. Stamos said he would leave Facebook but was persuaded to stay through August to oversee the transition of his responsibilities and because executives thought his departure would look bad, the people said. He has been overseeing the transfer of his security team to Facebook’s product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said...."

RatioMarch 19, 2018 8:49 PM

@A Nice Human Being,

Yet, as one whom recognises your brilliance [...]

Pet peeve: it’s “as one who recognizes your brilliance”.

Just forget “whom” even exists and always use “who” (unless you want to sound formal and you’re absolutely sure you know what you’re doing, which, it turns out, most people don’t).

Bruce SchneierMarch 19, 2018 9:15 PM

@ Clive Robinson

"Perhaps you might consider a few hardware papers every now and then so that readers can get their heads around some of the more bizarre aspects of CPU side effects."

It's a good idea. Please e-mail me links when you come across them.

Jim JeffriesMarch 19, 2018 10:23 PM


enjoy your postings, here

a comment you made about metpol yesterday succintly and directly reminded me of a feature film, of a couple years back
Many in the US may consider it essential viewing. It is a dramtised version of a real person and real event.
Breathtaking cinema
' Fruitvale Station'

Wesley ParishMarch 20, 2018 5:18 AM


After re-reading your reply to @Mark on FooCrypt, I suddenly remembered the thing had had niggled at me the whole evening after first reading - there's an interesting aspects of fractals that I keep getting reminded of: strange attractors.

iterating any given text through a cryptographic transformation such as has been described by @Mark, starts to sound like a strange attractor.

What I'm thinking may happen is that parts of the original plaintext may wind up being exposed, even if superficially covered by a layer of encryption. (It's not the first time that's happened: it's how the ADFGVX cipher got broken in the First world War.)

Just my 0.02c worth on it.

ModeratorMarch 20, 2018 7:49 AM

@Mark aka @RogerOverEco aka @EcoOverRoger aka @AnyOtherSockPuppets: Again, please take a week off from this forum.

ThothMarch 20, 2018 8:29 AM

@A Nice Human Being

I have gone down the path as what @carrots have done before if you search the history using my nickname.

I find it more meaningful and time well spent to develop proper security and to implement the idea @Clive Robinson and myself have conceptualized. The main idea is to create proper security and introduce it to the masses so that people will have a better preference to implementations that are properly planned and executed.

AlanSMarch 20, 2018 8:41 AM

A perspective on the broader significance of Cambridge Analytica. William Davies, a sociologist who I quoted above ("Even the most pessimistic social theorists of the last 150 years were not against enlightenment, so much as the machinery that it made available to less enlightened political forces") had a long-read article in the Guardian back in January 2017 that looked at the role of statistics in liberal democracy over the last several hundred years and how the use of statistics contrasts with the use of 'Big Data': How statistics lost their power – and why we should fear what comes next.

Few social findings arising from this kind of data analytics ever end up in the public domain. This means that it does very little to help anchor political narrative in any shared reality. With the authority of statistics waning, and nothing stepping into the public sphere to replace it, people can live in whatever imagined community they feel most aligned to and willing to believe in. Where statistics can be used to correct faulty claims about the economy or society or population, in an age of data analytics there are few mechanisms to prevent people from giving way to their instinctive reactions or emotional prejudices. On the contrary, companies such as Cambridge Analytica treat those feelings as things to be tracked....The new apparatus of number-crunching is well suited to detecting trends, sensing the mood and spotting things as they bubble up. It serves campaign managers and marketers very well. It is less well suited to making the kinds of unambiguous, objective, potentially consensus-forming claims about society that statisticians and economists are paid for. In this new technical and political climate, it will fall to the new digital elite to identify the facts, projections and truth amid the rushing stream of data that results. Whether indicators such as GDP and unemployment continue to carry political clout remains to be seen, but if they don’t, it won’t necessarily herald the end of experts, less still the end of truth. The question to be taken more seriously, now that numbers are being constantly generated behind our backs and beyond our knowledge, is where the crisis of statistics leaves representative democracy....A post-statistical society is a potentially frightening proposition, not because it would lack any forms of truth or expertise altogether, but because it would drastically privatise them. Statistics are one of many pillars of liberalism, indeed of Enlightenment. The experts who produce and use them have become painted as arrogant and oblivious to the emotional and local dimensions of politics. No doubt there are ways in which data collection could be adapted to reflect lived experiences better. But the battle that will need to be waged in the long term is not between an elite-led politics of facts versus a populist politics of feeling. It is between those still committed to public knowledge and public argument and those who profit from the ongoing disintegration of those things.

VinnyGMarch 20, 2018 8:54 AM

Just a question. The initial post in each Friday's Squid topic states: "As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered."
I've always taken that literally, and tried to make sure that any comment I posted had (at least some) infosec-related content (possibly with less than 100% success;-) However, it seems that for several weeks, every Friday I have seen multiple posts that are largely or wholly political in nature, and virtually, if not literally, devoid of any apparent security content (unless one accepts the premise that nearly everything political has security implications, at some remove.) This phenomenon seems to me to be on the increase. In that time, I've also not seen any attempt by the moderator(s) to flag those posts or admonish the posters. Are purely political posts fair game here now?

ModeratorMarch 20, 2018 9:54 AM

@VinnyG: "Are purely political posts fair game here now?" No, they're not. "This phenomenon seems to me to be on the increase." Since the 2016 U.S. election season, it's been a chronic problem. "I've also not seen any attempt by the moderator(s) to flag those posts or admonish the posters." Over the past couple of years, we've removed dozens of wholly partisan posts, usually without comment, and have occasionally reminded visitors of the commenting policy. We prefer not to micromanage discussions, and given the considerable overlap between politics and security, we cut our visitors plenty of slack. Moderating this blog is a very-part-time job, so we appreciate visitors calling attention to offensive or disruptive posts.

carrotsMarch 20, 2018 12:39 PM

@Wesley Parish

Properly implemented modern cipher does not get weaker if you apply it multiple times, even if the key is the same (as long as the nonce is different). But proprietary application developed by someone this incompetent makes one's imagination spin about all the possible ways they could have endangered the implementation of that modern crypto. There's no documentation, audit, source code, or common language that can be used to verify that's not the case, hence it's safer to assume the worst.

Unfortunately I don't know anything about fractals so I'd rather not comment on that. Something that explains their relation to cryptanalysis would be interesting reading though.

D-503March 20, 2018 3:34 PM

A couple of security vulnerabilities (broadly speaking) in Bitcoin are getting press coverage:
1st, apparently it's possible to insert arbitrary data into Bitcoin's bockchain, with several different methods available:
So far, most of the content has been benign. Wedding photos, "kilroy was here" type tags, Chelsea Manning's tranche of US diplomatic cables. But a little bit of it is not benign: doxxing of individuals, private chats, possible "revenge porn", even a directory of child pornography websites. Interpol has pointed out that malware can theoretically be inserted as well.
Here's a news article with a slightly sensatonalistic title:
2nd, more in the category of "bleedingly obvious"*, since Bitcoin is in principle much more traceable than conventional financial transactions:
*nevertheless, "even the obvious needs evidence"

A Very Nice Human BeingMarch 20, 2018 6:53 PM

@ Ratio

-Just forget “whom” even exists and always use “who” (unless you want to sound formal and -you’re absolutely sure you know what you’re doing, which, it turns out, most people -don’t).

That's a helpful comment. While I know there were a few grammaticals in my post I'm interested you picked up on the 'whom' instead of my more salient (and topical) ones Yet I appreciate the insight and what it means to be irritated by inappropriate use of language. How about this. I forgo all use of 'whom' if, every time you feel tempted to spell a word with a Z - you use a S instead ;-) And it's pronounced ZED by the way ;-)

@ Thoth

-I find it more meaningful and time well spent to develop proper security and to implement -the idea

I get it, completely. Admittedly I was partially guessing such was the case. Thankyou for responding.

hmmMarch 21, 2018 2:39 AM

"whom" is having something done to them, the object of a verb/preposition.

It's really not so difficult that we have to lose another word to the void of convenience.

There are other words to destroy first. I won't moisten the obvious.

CassandraMarch 21, 2018 4:59 AM

@A Very Nice Human Being

The -ize versus -ise endings issue is a little more complicated than you might expect. If you follow 'Oxford spelling', then which ending is preferred depends upon the ancestry of the root of the verb. Should it have come into the English language from Latin, the ending is recommended to be -ise; but should it have a Greek provenance, the ending is recommended to be -ize.

There is a nice single page discussion of the issue here:

I would recommend that one takes a pragmatic, liberal approach, and accept that English is not defined by an august academy publishing rules to be observed, but a living language where dictionaries and grammars are mainly descriptive, rather then prescriptive. For me, the important things are: primarily to be understood; and secondarily to be consistent in one's own usage, generally following precedent.

Both the King James version of the Bible, and Shakespeare's works make extensive use of the '-ize' ending. The 13 colonies were barely started at that time, so it is not a purely American practice seeping into English.

I like to sprinkle my English with a few archaisms from time to time, just to keep readers on the hop, but I'm not in the league of Will Self or Stephen Fry, for example, both of whom have large vocabularies, and are not afraid to use them. (The Stephen Fry link is an interesting read for a non-technical fan of technology's view on the 'way ahead' for the Internet).

I have come to appreciate the beauty of English modified by use in different cultures. The language has changed over time, and continues to change. My earnest hope is that the multiple strands will remain mutually intelligible, and we can all enjoy and benefit from the linguistic pot-pourri that is a lingua franca for the world. Of course, English may be at the beginning of the end of its dominance, and we should all strive to learn 普通話.

ThothMarch 21, 2018 8:38 AM

@Clive Robinson

AMD Exploits, all four of them, have been confirmed by AMD themselves and other independent labs.

The worrisome thing that continues to loom is the false view that Administrative Access is difficult to obtain.

Administrative Access can be acquired by phishing and many other methods and it's appalling to see that the severity has been lowered because of the argument of "Admin Access is hard".

Patches will never be able to fix a broken architecture, namely anything derived from the ARM TZ. The only way to solve the problem is to remove it's roots (not just ARM TZ) but the way all processors are designed which you have mentioned many times in the past.

Back to meddling with the LC4 hand ciphering techniques and always do paper and pencil and never use electronics for anything absolutely sensitive.


vas pupMarch 21, 2018 8:40 AM

On security of proper crowd management:
"The work of psychologist Anne Templeton of the University of Kent, for example, shows that many crowd simulation tools fail to account for the way members of a crowd interact with each other. A ‘physical crowd’ (basically just a group of bodies in the same space) would be modelled differently to a ‘psychological crowd’ (where a crowd has a shared sense of identity). For instance, Templeton says, “at a fundamental movement level, psychological crowds will walk slower and further in order to keep close formation with fellow crowd members.”
The increasing sophistication of data modelling may allow for these harder-to-see factors to be incorporated into scenario planning. “Physical crowds can become psychological crowds in emergencies, and so computer models should also be versatile to accommodate the change in group identity and behavioural changes that come with it,” Templeton says. Interviews (what people say) could be combined with sensors (what people do) to achieve a fuller understanding of human behaviour and needs.
Crowds are surprisingly complex and sophisticated. But so, increasingly, are techniques for understanding them."

CassandraMarch 21, 2018 9:13 AM


I would say that it is unlikely that patches would fix a broken architecture, rather than 'never'. There are probably a few edge cases, e.g. fusible links that disable entire blocks of a die. But I certainly agree with the sentiment.

As it happens @Guest posted as a blog comment here a link to news that AMD have announced that the CTS-Labs exploits can be patched in weeks. The link is duplicated here, for your convenience: Anantech: AMD Confirms CTS-Labs Exploits: All To Be Patched In Weeks.

Of course, I do not believe that all flaws can be patched in this manner - it is just lucky happenstance that apparently they could in this instance.

It might be an interesting project to produce a mechanical implementation of LC4 that could be 3D printed. Even a board with Scrabble-like tiles could be useful if it facilitated the shifting of rows and columns.


Simmon HallMarch 21, 2018 12:45 PM


which Operating System is your " /dev/urandom CSPRNG " information based on ?

carrotsMarch 21, 2018 1:25 PM

@Simmon Hall

Linux kernel 4.8 and newer. I realize OSX/Unix/BSD might do things differently.

VinnyGMarch 21, 2018 1:57 PM

@moderator re: political posts - fair enough, thanks. I have hesitated to point out posts that I believe offend that standard, because of concern about starting a flame war if the "tilt" of an espoused political opinion is judged more important than whether or not it relates to security. My concern is based on the fact that my politics seem to differ significantly from those evinced by most posters here. There are already more than enough sites that began as reasonable places to exchange and debate ideas (technical or otherwise,) that have devolved into fora for intractable zealots to attack anyone who dares evince an opinion that differs from their own...

RatioMarch 21, 2018 6:00 PM

@A Very Nice Human Being,

[...] you picked up on the 'whom' instead of my more salient (and topical) ones

I don’t comment on everything I pick up on. ;-)

Regarding your main point, if some of the regulars do critique product X, service Y, or idea Z, that doesn’t mean they’re right about everything (or even anything). Nor are others necessarily correct in praising X, Y, or Z. So, what are people who don’t know any better going to do now?

By the way, getting back to “who” and “whom”, I’d like to slightly revise my advice. Keep in mind that deciding between “who” and “whom” is like deciding between “he” and “him” or between “they” and “them”. If you can’t figure out which one it should be, use “who”. (Hat tip to @Cassandra for writing “both of whom”.)

Nice Human BeingMarch 21, 2018 7:18 PM


What a charming response. Wonderful. Thankyou! My idea of trading with Ratio was nothing more than good natured teasing but I'm glad I wrote it. I got to enjoy your fruits.


"if some of the regulars do critique product X, service Y, or idea Z, that doesn’t mean they’re right about everything (or even anything). Nor are others necessarily correct in praising X, Y, or Z. So, what are people who don’t know any better going to do now?"

Wow. So, according to your pedantic view, people shouldn't comment at all because it's merely their opinion and doesn't meet some criteria of objectivity?

@carrots correctly reminded @Mark that cryptography is a body of knowledge with commonly understood terms of art, and criteria that define strict working methodology.

I'm not being actively critical. I am sure you are a wonderful fellow or lady whom is a splendid conversationalist. I do have trouble relating to your common methodology on this forum of, shall we say, splitting of hairs with a razor: when a simple machete would suffice. And so it's clear, I did enjoy your response about whom vs who (both times)
Incidentally, are you by chance a Freemason? The alias prompted this.
In kindness and warmth, enjoy your eve

RatioMarch 21, 2018 9:22 PM

@A Nice Human Being,

(That’s a bit less nice than yesterday…)

Wow. So, according to your pedantic view, people shouldn't comment at all because it's merely their opinion and doesn't meet some criteria of objectivity?

No, not at all; my comment wasn’t about them. I was talking about this:

There are tons of people reading who would have wondered about the product being 'advertised' here and sought to try it. [...] They may have taken [the product] at face value. [...] By not responding, people that don't know better - don't know any better.

My point was: how will these people (reading) know what’s true?

(That’s not a comment on anything you or @carrots have said, but rather on the lack of critical thinking that’s causing those readers problems.)

I do have trouble relating to your common methodology on this forum of, shall we say, splitting of hairs with a razor: when a simple machete would suffice.

I find it harder to split hairs with a machete. ;-)

Incidentally, are you by chance a Freemason?

Nope. Are you?

bttbMarch 21, 2018 11:15 PM


SCL and Cambridge Analytica may have helped f?ck the 2016 United States of Amnesia ("'USA'") election with social media data, military grade propaganda, and dirty election tricks.

What goes around comes around, perhaps, or blowback. Ironically, perhaps this masterful f?ck of the USA, or blowback, was paid for and perpetrated by largely US citizens (the Trump campaign, Mercers, Stone, Manafort, etc.,) to perhaps 'Make America #1'.

Each video below is around 20 minutes
Part one: The Whistleblower ; Christopher Wiley
Part two: The sales pitch ; this video was posted above
Part three: The Trump campaign

and for readers, w/ or w/o javascript,

The New Military-Industrial Complex of Big Data Psy-Ops
Beware the Big Five
The Bitter Secret of 'Wormwood'

bttbMarch 21, 2018 11:30 PM

Is Mike Pompeo beholden to his political supporters?

“AMY GOODMAN: And, Lee Fang, his connection to the Koch brothers?
LEE FANG: Right, and I think this is very important for understanding Pompeo’s character. Pompeo has deep ties to the Koch brothers. The Wichita seat that he represented in Kansas was the headquarters of Koch Industries. Early in his career, he received an investment from the Koch brothers, when he started an aerospace company. The Koch brothers really handpicked him to run for that open seat in 2010. His only political experience was appearing at tea party events organized by the Koch brothers’ political machine, and they were his largest contributor.
Why is this important? Well, once he got to Congress, Pompeo was a loyal foot soldier for the Koch brothers’ political agenda. He constantly attacked pollution regulations, climate change regulations, and advanced attacks on renewable energy. So, you know, other than tax cuts, this is a top legislative priority for the Koch brothers. And I think that that speaks to Pompeo’s character, that he’s really been beholden to his political supporters.
And again, just looking at his relationship with Trump, he was a big Trump supporter during the presidential campaign. He’s been incredibly loyal, unwilling to really question Trump’s agenda. And so, if he’s secretary of state, he will be very different from Rex Tillerson, who was at least—who at least attempted to be even-handed in some complicated disputes. Pompeo, I think, is much more likely to be a loyal foot soldier.
AMY GOODMAN: John Kiriakou, you had a different feeling about Mike Pompeo, who President Trump just tweeted, when he informed Rex Tillerson he was fired, that Mike Pompeo would be replacing him as secretary of state.
JOHN KIRIAKOU: Not necessarily different. I think all of that is true. And I’ll tell you, where I think he’s most dangerous is on Iran, because Mike Pompeo has made it very, very clear that he intends to take a tough stand on Iran. He opposes the Iran nuclear deal, consequences be damned. And, you know, President Trump likes to surround himself with yes men on issues like that, like Iran and terrorism. Mike Pompeo is a yes man.”

Wesley ParishMarch 22, 2018 2:46 AM


After discovering them in the 90s and a bit of "fractal fanboism" that never got as far as I should've taken it, I left it. I think I will have to take it back up and go to work on it again.

I've already started to wonder about some other non-physical systems where publicly-available visualizations of numeric data appear to be similar to that of fractals and strange attractors.

But yes, it would make an interesting few years working through the maths of cryptography and the maths of fractals to work out what, if any, correlations there are.

Clive RobinsonMarch 22, 2018 6:26 AM

@ Thoth,

Back to meddling with the LC4 hand ciphering techniques and always do paper and pencil and never use electronics for anything absolutely sensitive.

@ Cassandra,

It might be an interesting project to produce a mechanical implementation of LC4 that could be 3D printed. Even a board with Scrabble-like tiles could be useful if it facilitated the shifting of rows and columns.

Some people are at state level going back to typewriters with paper records in file dockets. That then get locked in file cabinates in secure rooms with armed guards etc on the door.

The view point some have is I guess the more "physical" you make sensitive information the harder it is for it to escape, be stolen or copied. But of less obvious reasoning security wise is durability, paper records printed with the right inks and stored in the right environment will outlast any electromechanical device, and importantly will remain accessable at more or less the same cost.

Whilst I don't think we will go back to tablets of stone, the point is with electronic / electromechanical storage there is a very high price to pay that most can not see.

But to get back to the main point people realy need to grasp,

    The Security end point should always be beyond the communications end point an attacker can exploit.

Whilst some what easier to say that, than list what needs to be considered, there is a lot involved with even getting to a simplified version.

For instance, mechanical devices have characteristic noises in their function. That is the information about the functioning and internal state of the machine gets impressed on the sound created as a result of the mechanical devices inefficiency.

To many the thought would be "So what", but back in the 1950's the UK MI5 were getting microphones into other countries "crypto-cells" to hear their operation and use it as a side channel to work out wheel turn over points etc.

Even the most theoreticaly secure of systems have this problem. Giles Brassard a co-inventor of Quantum Cryptography Key Distribution that is according to our current understanding of physics secure in the communications channel knew during his experiments in the early 1980's exactly what state the polarizers were in because they made so much noise...

We also know that whilst sound does not travel through a vacuum, or even that well in air, it can go around the world under certain conditions. I guess most of us have seen a cowboy movie where a native American indian puts their ear on a rail on the train track to hear the train a very very long way away...

It demonstrates that in an appropriate channel sound can travel very far. Infact constrained in such a way sound can travel well beyond the point it would have dropped below the noise floor if radiated not conducted. Similar applies to other forms of energy that can be conducted or radiated, a point that many forget when setting physical security margins...

Information gets impressed on energy and matter, and as we should know from high school physics they are both in effect etetnal which is why we can still observe the cosmic microwave background billions of years after the Big Bang and gain information from it.

Thus the hard trick is effectively seperating information from energy/matter before an attacker can get to it... Relying on the noise floor to cover it up as used to be the case with public understanding of TEMPEST is really not the best way to go...

CassandraMarch 22, 2018 7:03 AM

@Clive Robinson

Clive, your point about side channels arising from the equipment is well made. From an OPSEC point of view, of course a mechanical aid should be viewed suspiciously, if also for no other reason than it is difficult to construct plausible deniability if you are discovered in possession of such an aid. LC4 can be performed using no more than a sheet of paper and a writing implement, and the paper 6x6 'Polybius Square' can be destroyed afterwords. It would not be difficult to reproduce the tiles from memory as needed.

Assuring that one's encoding or decoding session is not eavesdropped is quite difficult, given how easy it is to conceal microphones and cameras. Thankfully, it is extremely unlikely that I will find myself in a situation where I would need to communicate secret information from a location where a state-level surveillance capability could be reasonably suspected of being used against me. People who do have such needs are, no doubt, trained in the necessary methods.

But thank-you again for making clear that 'energy-gapping' applies to non-electrical systems as well.


CzernoMarch 22, 2018 10:53 AM

@All... who(m) have had practical experience with pen, pencil and or mechanical encrypting devices in the real world [that would be YOU, @Clive, @Bruce, several other well respected @contributors...] : how much time are you estimating would be required for an occasional (respectively, a well trained) operator to encrypt say, a 500 character message using the "Elsie Four" (LC4) system ?

gordoMarch 22, 2018 11:25 AM

What Everyone Needs to Know About the Facebook Data Breach
You could’ve been affected even if you use other social media apps.
By Molly McKew | Cosmopolitan | Mar 19, 2018

It doesn’t matter if you don’t use your feeds for politics; your feeds are using you for politics.

In other words: It's becoming transparently obvious that social media is no longer a trusted intermediary—anywhere.

name.withheld.for.obvious.reasonMarch 22, 2018 4:13 PM

Congress has wrapped a turd in the omnibus appropriations bill, an act to force companies with data held over seas to make it available to law enforcement. This will complicate cloud services to no end.

Clive RobinsonMarch 22, 2018 4:36 PM

@ Name.withheld...,

Congress has wrapped a turd in the omnibus appropriations bill...

Two things arise from this,

The first is that it means US "user data oriented" companies can nolonger carry out what they do in the EU. Further thst any EU company performing corporate "due dilligence" is going to have to not use US companies. Or even US companies with any US investment...

Secondly when are the US citizens going to wake up to the significant harm this "tack-a-turd" on a bill policy has on them and say to there representatives "enough is enough".

Clive RobinsonMarch 22, 2018 5:33 PM

Is Cambridge Analytics the only one?

Whilst the Zuckerburg drifts into another personal data scandal and various political scammers are caught with their pants down. A question arises, just what on earth is going on in the murky world of personal data collection.

Welk for what it's worth, Cracked Labs has tried to dig a bit,

Clive RobinsonMarch 22, 2018 5:59 PM

A Guide to Modern Hardware

After Specter and Meltdown blighted peoples new year people asked the usual "How could this have happened?" question, to which the actual answers did not make a lot of sense to most people.

This is because it involved realy quite low level logic in the CPU and these days very very few people get to work in those areas.

Thus to get a good understanding you need to have a starting point and work towards the particular area.

Not so long ago getting books on VHDL and logic ment parting with upwards of 50USD even as an impoverished student. However times have changed and some are putting out books for free. One such is,

If people want to jump ahead then starting at Chapt 21 will give background about how we got to where we are today.

Clive RobinsonMarch 22, 2018 7:20 PM

Cambridge Analytica parent SCL

Finally the US has opened it's ears a little bit to other information on the "election rigging" in 2016.

Cambridge Analytica however has a parent company that is even more "shady" and it's known as SCL and who runs it and what they are upto might shock more than a few people in the US,

Me thinks that a certain special investigator is not looking under the right rocks.

echoMarch 22, 2018 8:19 PM

None lethal weapons have their pluses. A big problem though covered by a UK documentary some yearsago is that none lethal weapons would allow authoritarian regimes to repress without creating too many bad headlines.

This Military Device Uses Lasers to Scream, Flash, and Burn Clothes


Bell-Pottinger sailed close to the wind. This week Cyrus Vance handling of the Weinstein case is being reviewed after his earlier lack of willing to prosecute high profile people such as Ivanka Trump and Trump Jnr and Strauss-Kahn while later being happy to accept political donations from their lawyers.

MarkHMarch 23, 2018 1:02 AM

The Obvious is Often True

Security analysts early on traced "Guccifer 2.0" (a major source for information illegally obtained from U.S. computers) in the 2016 presidential election to a Russian-owned VPN.

Misuse of natural language and a variety of other telltales were consistent with a Russian source, probably governmental (Guccifer claimed to be Romanian, but plainly didn't know the language).

The Daily Beast now claims that for one email, the source apparently forgot to log in to the VPN.

The Moscow IP address can (reportedly) be associated with a specific officer in the GRU, Russia's military intelligence organization. The GRU seems to have been the lead agency for attacking the U.S. election.

The source for the story did not name the officer.

Clive RobinsonMarch 23, 2018 8:29 AM

@ Cassandra,

With respect to an earlier conversation about using Finite State Machines (FSM) for security, and to get around the implications of Kurt Gödel's work on logics and mathematics.

You might find this use of FSMs to make more secure Smart Contracts of interest,

Yes it's longer than papers used to be but, then they all appear to be getting longer these days...

Maybe the "More pamphlet[1] than paper" is a response to the behaviour of journals business practices... A kind of "feel the width not the quality" principle.

[1] I was once told by someone who wrote accademic texts, that "Twenty pages of a paper, when explained properly at undergraduate level should be a book of between three and four hundred pages"...

Clive RobinsonMarch 23, 2018 10:33 AM

@ Bruce,

Tracking Ransomware End-to-end : Danny Huang et al

Is a paper about a two year project into tracking the behaviour of Ransomware operators,

    In this paper, we create a measurement framework that we use to perform a large-scale two-year, end-to-end measurement of ransomware payments, victims, and operators

Which has the following sample size,

    In total we are able to track over $16 million in likely ransom payments made by 19,750 potential victims

Since ransomware operators largely carry out the initial financial side of their activities using Bitcoin which has a public ledger, this provided the research team with a method to uncover and trace ransomware activity in various ways. As the papers authors note,

    Bitcoin has a property that is undesirable to cybercriminals: all transactions are public by design. This enables researchers, through transaction clustering and tracing, to glean the financial inner workings of entire cybercriminal operations.

As the study in the paper indicates, there are times when it is possible to trace ransomware payments from when the victim pays to where ransomware operators convert BitCoin into a more usable and with care less traceble fiat currency.

Which brings up an interesting issue on morals and ethics with regards the victims. As it is possible to trace the bitcoin payment from end to end, it is also relatively easy to disrupt the process.

Whilst this will seperate the ransomware operators of their profits, it leaves victims not just without their files, probably significantly out of pocket, but also in some jurisdictions guilty of committing a crime.

The authors identify this dilemma with,

    This introduces a unique ethical issue. We must consider the impact on victims before taking down ransomware infrastructure. Whereas disrupting conventional malware reduces the damage to victims, the effect could be the opposite for ransomware

But only consider one aspect of this dilemma for individual victims,

    if every victim did not pay or was prevented from paying, the scale of the problem would likely decrease; however this would mean that some individuals would incur additional harm by not being able to recover their files.

A Very Nice Human BeingMarch 23, 2018 7:15 PM


Thanks for your pleasing and entertaining reply.

My knowledge of Freemasons is limited to David Icke books. I recall someone sent you a link about them a while back-linked to many things Arabic.

I did know someone whom, whilst on the wrong side of the bar in court, asked the Judge if they had sworn an oath to another party for example a Masonic Lodge, and did that render their Oath of Office null and were they therefore not fit to preside over the matter?
Hint: it's a highly unrecommended course of action.

Oliver JonesMarch 29, 2018 7:23 AM

What happened to your post with the link to the Atlas Obscura article on history cryptography? It seems to be gone.

I was hoping to comment with a wisecrack about undercover composers of waltzes; the musical examples in the article are all in 3/4 (waltz) time.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.