Friday Squid Blogging: 100-kg Squid Caught Off the Coast of Madeira

News.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on September 7, 2018 at 4:13 PM • 107 Comments

Comments

John F. PearsonSeptember 7, 2018 4:25 PM

Dallas cop will face manslaughter charge for killing man in apartment she thought was hers, police chief says. Dallas News, 7th Sept. 2018.

Quick rundown of event:

>Bitch cop gets off work
>Goes to the bar for drinks
>comes home drunk
>Opens an unlocked apartment door, thinking it’s her place
>Sees strange black man in “her” apartment
>Shoots first and asks questions never
>Flips on the lights and notices “Dang, this isn’t my place”
>shits bricks.

The state of Murrica.

echoSeptember 7, 2018 7:18 PM

https://www.theguardian.com/world/2018/sep/07/russia-asks-britain-for-help-identifying-novichok-suspects-gru

Moscow has claimed it wants to ascertain as soon as possible the identities of the two men named by Britain as suspects in the nerve agent attack on a former Russian spy in Salisbury, and asked London to help.

It's very difficult at times to get to the truth of things.

https://www.independent.co.uk/news/uk/home-news/three-female-prisoners-dead-suicide-hmp-foston-downview-bronzefield-10-days-prison-estate-a8528126.html

Three female inmates confirmed dead in English prisons over the space of 10 days. Exclusive: Between 25 August and 3 September 2018, three women died while serving sentences in English jails, in 'deeply worrying' sign that female inmate deaths are on the rise again.

May Bulman of the Independent spiked a story about a doctor raping patients. She also refused to even speak with me when I wanted to discuss discrimination with her before passing on sensitive details of instititional discrimination. The Independent newsroom became pretty pretty hostile when I told them they had gone back on assurances and May Bulman spiked stories with the excuse that they wouldn't report anything unless a court judgment had been obtained first. May Bulman has a real hatred for some women she needs to explain. I have my suspicions but suspect she isn't interested in factual arguments or evidence especially if it involves policy discussion. One reason for this is because there is evidence that some women women have been complicit with or enabled cover-up of abuse, or have played a role in the instititional bullying of other women.

UK police also cover up murder and corporate manslaughter within the state sector. This is known and has been subjectto complaints. Deeply buried in one article within the Independent (or Gaurdian) this was confirmed by the relevant authorities themselves. I commented a few weeks ago the police were covering up sex trafficking. A week or so later the police concidentially issued a statement they had been neglecting to investigate which confirmed at least half my allegations.

I also know from a source the DWP committed perjury in court when DWP management claimed they were not sanctioning disabled and unemployed people to meet arbitrary targets.

Wesley ParishSeptember 7, 2018 11:50 PM

For our US fellows, that sinking feeling is not due to - well, whatever, it's the mid-term elections coming up, and the state of election security going down, rather like the Hindenburg, at least, according to Mother Jones:

Campaigns Are at Serious Risk of Being Hacked, and Congress Is Doing Nothing to Help Them
https://www.motherjones.com/politics/2018/09/campaigns-are-at-serious-risk-of-being-hacked-and-congress-is-doing-nothing-to-help-them/

With the help of our friends in the "Security" and "Intelligence" Services demanding backdoors in security products, we'll finally get the representatives paid for by everybody else, including the mythical man-and-his-dog, instead of the long-suffering taxpayer, or perhaps he'll be billed as well. (This feature is bound to escalate to the other Five-Eyes nations, you see. Everybody except for the usual suspects, follows the US slavishly, cravenly ... There are five eyes I want to blacken, just five. I'm not too demanding, am I?)

echoSeptember 8, 2018 2:03 AM

This is an interesting article exploring ideas in other areas not heavily considered by Bruces new book. Joseph Stiglitz suffers from rich white man syndrome and doesn't articulate the range of opinion especially in terms of lifestyle and human endevour and art and resource distribution. His views on these subjects are utilitarian and out of touch. That said the general drift of his message is good and he opens the door for other contributers to enter the discussion which is nice too.

https://www.theguardian.com/technology/2018/sep/08/joseph-stiglitz-on-artificial-intelligence-were-going-towards-a-more-divided-society
Joseph Stiglitz on artificial intelligence: 'We’re going towards a more divided society
The technology could vastly improve lives, the economist says – but only if the tech titans that control it are properly regulated. ‘What we have now is totally inadequate’

MarkHSeptember 8, 2018 3:43 AM

Did You Ever Get the Feeling that Somebody Robbed Your House, and Replaced Everything with Exact Replicas?

Counterfeiting of components used in manufacturing is a very serious and widespread problem. For an example that's easy to understand, aircraft contain fasteners (bolts, for example) which look a lot like counterparts you might find at a local hardware store -- but are made with tight controls on materials, strength, and uniformity. This isn't a hypothetical problem; decades have passed since I first read about counterfeit high-performance bolts showing up in aircraft factories.

I provide engineering services to a Small Manufacturing Company I'll call SMC for short.

For several years, SMC has been preparing to respond to an identified need of a Really Big Customer (RBC). But recently, RBC added anti-counterfeit provisions to the requirements, namely AS5553 (a standard of the SAE).

As interpreted by the guy who studies the fine print, AS5553 is completely infeasible for SMC to meet. SMC can buy individual components whose vendors will certify compliance, but here are examples of barriers, according to the interpretation I heard:

1. The standard includes rigorous chain-of-custody protection and documentation. Sure, a capacitor was AS5553 sourced when it left the vendor. But how did it reach SMC? How was the capacitor stored and handled? How was it secured, and who had access? If it was sent on to a surface-mount assembly facility, how can SMC ensure the chain of custody there? How is the process controlled? It is necessary to provide documentation to support all of this.

But wait, it gets worse ... the same requirements must be imposed on every vendor, all of the vendor's vendors, and so on; this is called flow-down. The logic of it is self-evident, but the implications are staggering.

2. SMC's proposed product is based on an industrial single-board computer. More than 90% of the components are on that assembly, which of course is made by another company.

When we contacted manufacturers of single-board computers, and asked about AS5553 sourcing, the impression we got was one of disorientation, as in "what the hell are they talking about?"

The responses from those manufacturers fell into three categories:

a) No.

b) We'll look into it. [Then dead silence.]

c) We should be able to do this, but you must pay many thousands of dollars up front.

3. One single-source assembly used in the design is a hybrid, which outwardly looks like a monolithic IC in a standard plastic package ... but it actually contains several components inside.

SMC would need the manufacturer of that assembly to comply with AS5553 (in which they had no interest).
__________________________________

If anybody here has had experience with this, or related anti-counterfeit standards, I'd sure be interested to read how it went for you.
__________________________________

So what does all this have to do with security? Well ...

• Component counterfeiting is a serious real-world security problem, specifically a problem of authentication in the face of forgery.

• Anti-counterfeiting is a typical network security problem. [Here, the network is one of physical distribution rather than an electronic data network, but the fundamentals are common.] Network security problems are very difficult: you can spend an awful lot of resources trying to secure the network, but it's virtually impossible to prevent every opening an attacker might exploit.

• Naively, security might seem to be a matter of strength. But strength without usability is valueless. For example, a "bank vault" made as a simple spherical shell of reinforced concrete 2 meters thick would be extremely challenging for robbers to open ... but (by dint of having no door) would lack the useful attribute of being accessible to those authorized to get inside.

albertSeptember 8, 2018 11:26 AM

@Ismar,
Where's the paper?
..

@MarkH,
"...rigorous chain-of-custody protection and documentation..."
I'm not sure how one would implement that. The issue with fasteners is much simpler that of ICs and more complicated devices. As far as considering only part reliability, manufacturers usually test batch samples during production. For a bolt, it's pretty simple. For a capacitor, a little more complex, for a n IC it could be expensive to test each part. Surely an SBC manufacturer has MTBF data on its products. Chain of custody seems absurd for a bolt, SAE AS5553 may be well intentioned, but it smacks of show without go. It reminds me of ISO 9000. Expensive to implement, and totally useless as a control.

These things appear to be designed to eliminate the little guys.

. .. . .. --- ....

PPSeptember 8, 2018 1:12 PM

@MarkH: my working place pays many thousands of Dollars in order to make sure that all components come from the places we think they do. We buy only from trustworthy distributors. And we have already canceled contracts with distibutors that did fail to deliver the things they were thinking they distribute. Often Röntgen and visual inspection are sufficient to identify pirated components. Other times the tests we apply to components find pirated parts: it is improbable that components are both cheaper than the original (which is a prequisite for pirating) and better than the original. On the other hand I always make jokes about parts that were copied without in-depth knowledge and that therefore fail to come with bugs.

PPSeptember 8, 2018 1:17 PM

About semiconductors: Some of them are subject to change without notice. Others come a fab that eventually will be sold to a subcontractor.
Which means they don't change immediately, but can change in the future.

It is always good to regularly monitor the parameters you depend on.

Clive RobinsonSeptember 8, 2018 1:29 PM

@ Hmm,

Don't you dare trust those "safe stores" or "walled gardens" - there be dragons.

@Nick_P and myself had several conversations about the "code signing" issue several years ago long before people started thinking seriously about the issues.

And the control of code signing which is what the "walled Garden" etc is an extention of. Which has been used for various forms of unfair market advantage and consumer lock in which is the reality of what the big companies are all about[1].

In essence all code signing is, is producing an archive of installable code hashing it up and signing the hash with a private key. All it realy can offer is proof of the hash value via a simple not exactly infallible PKI type signing.

The code signing does not offer anything in the way of attestation to the quality, correctness, lack of back doors, vulnarabilits, maliciousness, etc of the code. A moments thought about the mechanics of the process should tell you this.

Thus there is absolutly no reason to believe that the code archive you download from a "walled garden" "app store" is in any way safe or free of quite deliberate malicious code. And anyone who thinks there is realy does not understand the process. Oddly perhaps but unsurprisingly for some, is it's begining to look like using "sideways loading" from a long established independent vendor is just as safe as using the applicable app store for your device. In fact based on numbers of devices infected it may actually be safer for now[2].

The real underlying problem is that for many devices you can not get low level access to the devices network traffic. Thus spotting "rouge traffic to China" is not an easy thing to do, unlike some other Commercial and Open Source Operating Systems that run on netbookd, laptops, desktops and servers.

The reason for the underlying problem is to ensure better user "lock in" as well as having the hardware vendor making sure you can not remove their apps many of which are "telemetry riddled" and "Phone Home" with the users data at some level. As some may remember IBM sold their laptop section to a foreign company called Lenovo. Who were caught using a nasty little BIOS function that IBM had designed years before with MicroSoft to ensure the Lenovo malware infested applications could not be removed using traditional methods suchvas a full wipe of the hard disk and OS re-install from the OS Vendor Original media.

Realistically because of the typical downward spiral of a "Free Market" we can expect that these issues will get little attention other than lip service. Esprcially from the device manufacturers.

For doubters just look at what goes on in the IoT "free market" as that sort of behaviour will migrate up through all hardware with control over what the user can and can not install, which is the real reason for "app stores".

Some blaim the idiocy of the DMCA for bringing back "lock in", but in all honesty all Hardware and OS design houses managment crave that level of control so they can move forward with the sorts of business models that were talked about with the DRM chips.

It's why I don't trust devices manufactured in this century. And as time goes on, the more examples of why it is a good idea, come to light.

But for everyone, just remember that as with Smart Phones, you do not actually own the hardware and OS on the likes of Smart Devices such as pads and tablets etc. Other people own it and will increasingly force you into their rent seeking marketing models... All trussed up and well stuffed like a festive turkey.

[1] What ever nonsense the likes of Alphabet and Apple spout, walled gardens are about control and "lock-in" a business model IBM put so much weight behind they got various additions to "Nobody got fired for buying IBM", such as "IBM made sure you got fired is you did not buy from them". There are not many people around from the old Big Iron days who will talk about it but at the end of the day "Walled Gardens" like App Stores are a "monopoly", there is already enough evidence to show that both Alphabet and Apple have used their control to block independent products and a lot worse.

[2] Numbers of devices infected is actually a quite horrible metric to use. The reason is simple, imagine as a developer you offer your code through an app store and from your own web site. The chances are way more people download your code from the app store and not your web site, because for something like 90% of users it's just easier to use the heavily advertised app store with it's vage security promises. Similar logic applies to the number of infected applications as a metric.

HmmSeptember 8, 2018 3:24 PM

"walled gardens are about control and "lock-in" a business model "

That's true, though (unless I'm mistaken) this wasn't a code-signing hash spoofing but more like they just plain "failed to evaluate the app" (not the first nor the last) they ALLOW into their garden. Their process for repelling even semi-obvious trojan apps is not sufficient, they just didn't look hard enough. There's an internal balancing act between allowing developers to grow their marketplace and keeping out rogue *holes, and it doesn't take a lot of failures to make that model untrustworthy and then next to worthless.

Throw in the bit about the code signing being so fungible, that's another hard wrinkle.
What's the next step up, a per-bit dif check, 1:1 binary verification from multiple repositories?

Clive RobinsonSeptember 9, 2018 1:32 AM

@ Ismar,

The journalists should do a little fact checking to avoid falling prey to what are in effect FUD and Fobia stories.

To start with the French story, the journalists should check their history. France has been playing the same sort of espionage tricks for so long now it's beared is longer than Gandalfs. It's France being a two year old in the play pen and screaming out for "mummy" because her brother has taken the toy she was playing with. Thus from the Espionage side it's yet more "Russiafobia" being drumed up as Orwellian style propaganda.

To reiterate for those that fall for the Russiafobia propaganda being drummed up, in the West "All Nations where they can commit espionage" no ifs, no buts or exceptions. In particular the French were once proud of what they did in that respect, pointing out publicaly last century that espionage was cheeper thsn R&D.

So the Russian's got one up on the French in the "Great Game" and are now being a moaning moana about having lost this particular race, yah boo sucks...

However there is a more serious issue, like having two aircraft in thr same airspace having two satellites two close together is significantly increasing the risk of collision. With aircraft that do colide the resulting wreckage falls to ground quite quickly and over a localised area. Not so in earth orbit, the junk could take well over a hundred years to burn up or hit the ground. But in the mean time with each orbit the wreckage spreads out and will enter other orbits and orbital slots, causing other collisions that in turn cause other collisions.

Known as the "Kessler Syndrom" it's named after the NASA scientist Donald J. Kessler in 1978, was the first to publically point out the scenario in which the density of objects in low earth orbit (LEO) is high enough that collisions between objects could cause such a cascade or chain reaction. The ultimate result is there is so much wreckage dispersed in space that you will not be able to launch other space craft to even try and clean the mess up. Thus closing space to mankind for potentialy hundreds of years.

Thus what the Russian's are doing is quite dangerous, which the emotive espionage FUD of Russiafobia is covering up, so people will make the wrong decisions which will leave the real danger left open to run it's course...

But when you read towards the bottom you get to the real concern. This is not France "crying over spilt milk" it's France following the US lead of Saber Rattling to get a top table position on weaponising space, which is currently strictly prohibited by treaty.

As for the lets cook your chittlings with our space communications dish... Yawn.

Again it's mainly FUD. Firstly the RF power into the base of the antenna of a communications system is usually less than 1/20th of the power of even a small microwave oven. Secondly it is transmitting into free space not bouncing it around and building up the field strength in a cavity which microwave ovens do, so it's only a fraction of that fraction of RF power striking any object. Thirdly the field intensity in free space drops off at the square of the distance or "1/(r^2)" so you would have to be very close to the antenna which is usually quite unlikely.

That is not to say there are not dangers with staning to close in an antennas "boresight" but RF engineers are well aware of the issues and generally take "Fail Safe Precautions" to prevent harm. Usually these are mechanical interlocks involving doubly or tripply redundant switches and "hard end stops" that the drive motors can not over come.

If you take a microwave ovens cover off you can often see as many as eight microswitches around the door. These are aranged to "crow bar" the powersupply so the main fuse blows, which means the user either throws it away or gets it repaired.

So the concept of mechanical fail safe interlocks is well established thus well known and can be quite inexpensive to install and setup. Which is why you find such things in radar installations that are also mounted on ships, but have microwave RF peak radiated powers that easily exceed several microwave ovens combined.

And because of the close proximity of other electronic equipment to the radar on ships the designers of the other equipment take care to ensure their equipment like GPS receivers is not effected by high power microwave signals.

Which is probabbly why the safety authorities have not yet got around to replying to the researcher... They might eventually, but not if they consider him a "crank" of which they get several such communications each year.

echoSeptember 9, 2018 2:11 AM

https://www.theguardian.com/sport/2018/sep/09/serena-williams-accuses-officials-of-sexism-and-vows-to-fight-for-women

Serena Williams has accused an umpire of sexism and treating her more harshly than men as she used a press conference to double down on her earlier on-court tirade at the official during her US Open final defeat to Japan’s Naomi Osaka.

This is true. Bruce openly admits he has non skill at politics and has other blind spots. I've noticed similar with other industries. From personal experience I know sexism is a thing. The only reason I mention this is nobody seems to get "security" unless it's rich white men talking about boys toys among each other. A case in point is how bringing up the EU treaty and MOD strategic review meets with stunned silence. To be fair Bruce doesn't claim to be an expert in things he is not and he keeps the door open and gives a platform for "soft" security issues. Joseph Stiglitz is slightly towardsthe softer end of the spectrum and introduces new thoughts to the mainstream security domain which is welcome but I personally still find his framing problematic.

“I just feel like the fact that I have to go through this is just an example for the next person that has emotions, and that want to express themselves, and want to be a strong woman. They’re going to be allowed to do that because of today,” Williams said. “Maybe it didn’t work out for me, but it’s going to work out for the next person.”

I have put in a lot of background activism effort and managed to get a cabinet minister fired. I also played a critical role in Whitehall reversing a very bad policy change into something much better which had a lot of positive knock on effects. I also got an entire NHS trust sanctioned and management replaced. A very senior person within the law enforcement area was also forced out of their job. More recently I managed to provoke 2-3 major position statements in the media both by media and by a major NGO. In all this like Serena I got nothing out of it. It has pretty much cost me my life to achieve what I achieved and I was punished for it so much so that I am actively planning and saving up to leave the UK mostly likely as an asylum seeker.

Williams has fallen foul of officials before, most notably when she launched a tirade for a penalty in the final against Australian player Sam Stosur at Flushing Meadows seven years ago.

Tell me about it!

Wesley ParishSeptember 9, 2018 4:51 AM

@Ismar

You know, the first time anyone ever commented on a space power deploying a satellite or orbital vehicle that acted strangely, it was the US that was the space power and the space object was a satellite that had a next-to-zero reflection, and it was launched some time around the early 2000s.

Myself, I think the stealth satellite is the bigger threat - if it can't be tracked by ground radar, it'll never be tracked by orbital radar, and the chances of it accidentally-on-purpose running into some other satellite that is unable to take evasive measures, is correspondingly huge.

You will never notice the US accusing itself of dangerous behaviour in earth orbit, will you?

This goes back to the wild days of the eighties - the US was talking quite seriously - or at least Ronald Reagan and his cronies were - of filling earth orbit with X-Ray lasers. X-Ray lasers are pumped by nuclear explosions. Nuclear explosions in earth orbit were banned for a very simple reason - the US, iirc, tested a nuclear weapon in orbit once, and lost a huge amount of electronic capability - valve/tube electronics, 1950s - in a huge radius surrounding that test explosion - what is termed EMP. Fast Forward to the eighties, and guess what, the Head Honcho of US America Inc, is boasting about having bad enemies is no good, we're going to have to be our own worst enemies, won't we?

Nobody in the United States of America talks about that these days - kinda like people don't boast of having an inordinate number of close relatives in lunatic asylums with inheritable schizophrenia. But just think of the advantage of guaranteeing that all medical services will be eradicated as one would eradicate bugs, in the event of a nuclear attack. All emergency services, eradicated. All chance one might appeal to the outside world for aid in the event of a nuclear war, eradicated.

I personally thought Ronald Reagan should have had his head therapeutically amputated, as he was not using it and it must've caused him an incredible amount of pain.

echoSeptember 9, 2018 5:44 AM

@Wesley Parish

This is the big lie and why some issues can only be dealt with via the courts unfortunately. I'm adding another link indirectly referring to sexism to prove doublest standards existand are a thing.

Citizenship based on place of birth is coming udner pressure in Canada atthe moment. Various people are arguing on an "international law" basis which isnt' really law as a court would recognise it. The funny thing is glancing at RT (Russia Today) as I do sometimes their front page is upholding Russian interestsas you would expect but also feeding the Alex Jones style constituency. Some of the news had a borderline Stormfront level of bigotry to it. As much as I understand any symathy I mayfeel for Russias position evaporated instantly.

I don't know what the answers arebut respecttable institution building is likely partof any solution. It would also help people feel good and confident and I believethis has a lot to do with genuine achievement and the halo effect this creates.

https://www.theguardian.com/sport/2018/sep/09/arthur-ashe-legacy-activism-tennis

Over the next 25 years, he worked tirelessly as an advocate for civil and human rights, a role model for athletes interested in more than fame and fortune. […] “I was prepared to be arrested to protest this injustice,” he said. Considering his medical condition, he had no business being at a protest; certainly no one would have blamed him if he had begged off.

JG4September 9, 2018 7:04 AM


I scoured the archives looking for the story that I thought that I told here in the spring of '17. It's worth retelling and adding a more recent example. I referenced it here:

https://www.schneier.com/blog/archives/2017/07/me_on_restauran.html#c6757202

One day, I went into a colleague's office to discuss technical issues. At some point in the conversation, he said, "Would you like a cup of tea?" At the time, I often would have a cup, usually some non-caffeine herbal variety. I said, "Let me get my cup," which took only a minute. I stayed and drank the cup and went back to my cubicle. On my computer screen was an ad for tea. I probably searched for tea in 2011, but hadn't seen a tea ad for years, if I ever did. Until right after a discussion about tea.

We already have established that neither of my flip-phones is capable of voiceprinting, because they invariably have pieces of paper in the contacts. The very next day, I went into someone else's office and, in the course of the discussion, said, "Thanks for taking us to [local pub], that was nice." After the usual response, I said, "The only problem with that place is that it is really loud inside." All of the surfaces are hard, so it is a high-Q resonantor with a lot of loud sources trying to be heard. When I returned to my computer, there was an ad for ear plugs on the screen. Not only are they routinely voice-printing the audio on smart phones, they are able to serve the ads to the correct screens. I hadn't searched for ear plugs in many years.

More recently, like the fall of '17 or spring of '18, I had a chance discussion with a colleague about running shoes. She is a gifted project manager with fingerspitzengefühl. Not surprisingly, she also keeps up with aerobics, which helps with neurogenesis, health and longevity. I've been doing windsprints. If your non-fasting blood glucose passes fasting criterion, you'll be doing quite well. I had never heard of Merrell shoes, but she was an avid fan of them until her heel got injured. It was late in the day. When I got home, the first thing that I saw on my screen was an ad for Merrell shoes. I try to explain these things to people, but they are in denial.

@Wes - The famous EMP incident you cited was Starfish Prime.

https://www.nakedcapitalism.com/2018/09/links-9-9-18.html

...[policing has been a business model for a long time]

German skeletons hint that medieval warrior groups recruited from afar Science News

...[air security in the news; I should post some links about the devastating effects of air pollution on cognitive abilities. it may be that the hole always was there and plugged with some debris that popped out]

What the Heck Happened on the International Space Station? The Atlantic

Big Brother IS Watching You Watch

Facial recognition touted as ‘user friendly’ system for airports Phys.org

...[the surveillance would be a good idea if it included the right safeguards. we are light-years from the right safeguards.]

...[I'd love it if the Russians rescued Assange and let him work with Snowden]

Ellsberg Says Assange, as a Journalist, Can’t Be Tried Under Espionage Act Consortium News

...

echoSeptember 9, 2018 7:37 AM

https://www.theguardian.com/uk-news/2018/sep/09/british-army-explicitly-targeting-working-class-recruits-say-critics

British military recruiters are targeting working class youngsters who like risk, are easily influenced and are poor at money management, a briefing document for a glossy army advertising campaign suggests.

Proof the UK is stupid and the British Army is an idiot test. If you pass, you fail. This puts the British Army in the same low hanging fruit league as online scammers and Alex Jones. The article goes on to explain the British Army's cynical use of advertising, targetting of the vulnerable, and targetting of youth and chilren in economically deprived areas.

Yesterday by chance I took a US police force test which popped up on some webpage in Flipboard. I passed without even trying. My first impression was the test is really scraping the barrel. Almost anyone who can eat with a knife and fork without choking on their food would pass this test. Given some of the dumb UK cops I have met not to mention the passed out to grass career role? I don't mock or sneeratpeople with low education or abilities and know people have to find a useful role in society as much as anyone but ye gods. The other thing is I have met people in the police and military who are clearly more intelligent than their education or job would suggest but their role and worldview doesn't accomodate this nor do I believe it is encouraged.

As always I am feeling I am left with more questions than answers.

HumdeeSeptember 9, 2018 9:45 AM

@echo

Wait, what? That has been the US Military's MO for the last 200+ years. It has always been the poor that serve as cannon fodder.

HumdeeSeptember 9, 2018 10:01 AM

@echo regarding Serna Willimas

The reaction here in the USA has been mostly negative to her antics. Regardless of whether she was right or wrong on the larger picture the question is whether or not the tennis court was the right place to make that point.

(1) She was caught cheating. The fact that "everyone does it" does not pass muster in the elementary school so it shouldn't past muster among the pros. If the rule needs to be changed, change it but it isn't going to get changed on the court.

(2) As for breaking her racket since when did emotionally violence become OK and synonymous with "strong"? If the men are doing it too (I have no idea, I don't follow tennis) then that is shame on them. Why does feminism always insist that imitating the worst in males is what "equality" stands for?

(3) In any event, I think the whole thing was a charade on her part. She was getting beat and beat badly and so she started throwing temper tantrums in an attempt to throw her opponent off. It didn't work. So now in order to save face she is hiding behind the shield of "feminism". I call that being a sore loser and it is not the character of a champion to be a sore loser.

echoSeptember 9, 2018 11:49 AM

@Humdee

Discrimination is an easy topic on one level but complex once past the surface. It's almost impossible to have a level discussion about it.

albertSeptember 9, 2018 12:55 PM

@Anders,
"...Since i'm into older hardware, i know this up close and personal :)..."

As am I. If I don't learn something new every day, then I'm off my game.

So I was understating the capacitor situation. Nevertheless, I'm sure you'll agree that ICs and CPUs are way more complicated to test and assess. Remember the Intel floating-point fiasco? And now we have CPUs within CPUs with their own operating systems "baked in". Where will it end?
..

@echo,
Re: US police force test. You've misinterpreted the test. They are -designed- to keep the smart folks out. That's the point. -Why- they do so is left for your own analysis. I aced the IQ test for the Vietnam draft (no worry since I already had a good chance of deferment). My buddy (smarter that I), wasn't so lucky. He got drafted, but served on a ship for his whole hitch, in the cryptography section!
..

@Clive,
Parabolic antennas should reduce the standard EM dispersion figures significantly. But however, storms and cloud cover can reduce signal strength as well. A lot depends on the frequency, and if you have a Russian satellite lingering under your antenna:)
..

. .. . .. --- ....

AlejandroSeptember 9, 2018 1:54 PM

Top MacOS App Exfiltrates Browser Histories Behind Users’ Backs

https://threatpost.com/top-macos-app-exfiltrates-browser-histories-behind-users-backs/137247/

"A top-grossing Apple App Store program called Adware Doctor is capable of sidestepping macOS security controls and surreptitiously copying a user’s entire browser history. It then sends it to a China-based domain."

It costs $4.99. Apple is aware, but still has it in the store. There have been prior problems with the developer.

Et tu Apple?

Also, how many more do the same and no one knows about it?

AlejandroSeptember 9, 2018 1:59 PM

@albert

Re: Parabolic antennas

Having some aluminum foil left over from making hats, I fashioned some into a parabolic antenna from a design on the web for my wifi router to possibly improve reception/transmission.

I don't have the ability to measure the exact difference, but my man on the keyboard experience tells me it helped.

WaelSeptember 9, 2018 2:10 PM

@Alejandro,

It costs $4.99. Apple is aware, but still has it in the store.

Yes! Serious violations beyond leaking browser history to a place behind the Bamboo Curtain. The update says It has been removed from the Apple Store. I haven't verified because I don't use it, nor did I intend to use it.

HmmSeptember 9, 2018 2:23 PM

"Yongming Zhang" seemed so trustworthy though! I saw that name and I thought "there's a developer I know I can trust, sure let's go ahead and install their MITM software..."

HmmSeptember 9, 2018 2:36 PM

https://www.cnet.com/news/apple-is-building-an-online-portal-for-police-to-make-data-requests/

"This will assist Apple in training a larger number of law enforcement agencies and officers globally, and ensure that our company's information and guidance can be updated to reflect the rapidly changing data landscape," the site says.

In the first half of 2017, for example, Apple received between 13,250 and 13,499 national security requests from the US law enforcement.

Clive RobinsonSeptember 9, 2018 4:07 PM

@ Hmm,

What's the next step up, a per-bit dif check, 1:1 binary verification from multiple repositories?

It's a good question, that we do not have a fool proof answer for yet (or maybe never).

The problem is one you need to break into chunks, so the 20,000ft view of the current developer end is,

1, Development of code.
2, Assemble and sign archive.
3, Make signed archive available.

All of these steps have been successfully attacked in the past. Stuxnet being but one example.

Nobody knows how to make step 1 secure from various attacks on tool and code repositories or by insiders.

The second looks like in theory it could be made secure from external attack if you have the sufficient control on audit processes and KeyMat handling in place... But when you dig in you find it can not be made secure from insider attacks. And as we know stopping an external attacker becoming an insider is basicaly not possible.

As for making the signed archive available, we know that any online service is vulnerable to a whole pantheon of successful attacks. Which is why code libraries have been found to be unreliable at best.

Those are the easy problems to solve. The much harder ones are of the actual communications in a hostile environment... Where even establishing a secure connection is problematical. As the joke goes "What ever the question is... PKI is not the solution".

HmmSeptember 9, 2018 8:05 PM

"But when you dig in you find it can not be made secure from insider attacks"

Kind of a meta-problem.


I do think Apple owes it to their users to sanitize and evaluate every single thing they're going to allow in the "safe" walled ecosystem, or it doesn't actually exist as advertised. There's no burning need for some "computer doctor" app to get into that store today as opposed to 15 days from now, so it should not go until they're damn sure it doesn't harm users or the platform. This is the job they signed up for as gatekeepers, this is one reason people buy their thousand dollar phones and put up with their restrictions. Failure on this draws the overall value into question.

echoSeptember 9, 2018 9:24 PM

Apple = wife beaters. Apple don't care about safety. Apple care about control and money. This is what happens when men dominate business. This is what all the slimely backchannels and exploits are for. A system dominated by men designed for men for the continuing status of men in wars and criminal behaviour perpetrated by men. You think Apple will rat out their mates?

God preserve me from white nights and do gooders too especially if they are OMG men!

Ok, now every one of you guys blood is boiling hold your horses. This is an interesting study.

http://uk.businessinsider.com/black-student-activists-often-ignored-by-white-admissions-officers-2018-9

A recent nation-wide study shows that predominantly white institutions are more likely to embrace black students who don't profess interest in racial justice. Results showed that students who presented anti-racist narratives received less responses from college admissions counselors. The study found that white colleges like black students who see themselves as students first, and black students second.

The article goes on to explain a number of things and, sexism aside, indicates that women who perceive themselves as activists against sexism are discriminated against. I'm guessing that people who don't experience discrimination or who hide it sufficiently well are acceptable because their narrative is about the "work". This "work" may have clear technical and legal and other failings caused by direct and indirect discrimination but you can't say it.

echoSeptember 9, 2018 10:04 PM

I have previously said how I was unhappy with the Captain of HMS Queen Elizabeth. I found his points of view and attitude a bit off. Is it any surprise his crew are a bit odd?

UK police have issues too although not as obvious. The cop drinking my tea boasting about the policing method (I told him three times I had gathered the evidence and it just needed organising and presenting) while he sat there holding his nuts? Not literally but he was a picture and had the whiff of being a little too sexually interested. I'll just say after he was gone I got straight on the phone and told the police I never wanted him around me or in my house again. When I later compared notes with a neighbour what she had to say was, basically, he was a liar because he had claimed a crime solving role to impress me which was completely untrue. She knew this because she had discussed issues with another neighbour. Needless to say there was no investigation into my complaint about his manspreading pervy "banter" and failure to do his job when required.

When you consider the pool the UK military and police recruit from and canteen culture My sense is the problems never went away.

I expect they and their Captain will all "get off" becasue they are "one of the boys".

https://www.independent.co.uk/news/world/americas/royal-navy-british-sailors-arrested-police-florida-drunk-a8529926.html

Florida police 'use Taser on drunk and disorderly Royal Navy sailors' on shore leave from £3bn warship. 'They beat the mess out of each other and fight each other more than anything, but once they pick up their teeth off the ground they are best friends'

Clive RobinsonSeptember 10, 2018 4:15 AM

@ hmm,

This is the job they signed up for as gatekeepers

But common sense should have told every one that it was a job that could not be done.

There are three basic groups of instances and classes of software error,

1, Known Knowns
2, Unknown Knowns
3, Unknown Unknowns

They aproximately cover past - current - future knowledge of software errors.

So all any walled garden gate keeper can be expexted to do is to stop all known instances in known classes,(1) and where possible write code to cover known classes of attack. Which should cover the majority of malware, but obviously not those in the unknown classes of attack.

But what about the phone user what could they be expected to do?

Now I don't know how this current malicious app is doing it's thing, nodoubt that will become public knowledge in the near future.

What I do know is that from what has been said so far, is that the only way an observer of the app running on a phone would have been aware of it, without appropriate security software on the phone, would have been by the suspicious traffic over the air interface or by unexpected battery drain. Both of which are not easy to measure[1] and worse might not have been very noticable due to the way the OS and other apps behave.

But I would not expect any ordinary user to be able to carry out the measurments at all times for the obvious reason of test equipment.

So as you note the security is very much down to the gatekepper, who frankly does not have the resources to keep the phone it's self free from security flaws as has been demonstrated a couple of times.

Hence knowing this, I'm surprised anybody seriously expects 100% security of the apps in a walled garden, even before we start talking about zero days and SigInt entities both governmental and commercial.

Which brings us around to the question of "Reasonable expectations at any given price point?". Which is a question that has not realy been answered in the PC market place with the likes of AV / Firewall / white&black listing / tripwires / etc.

I suspect that Alphabet and Apple have made the choice to not charge the user anything to avoid becoming liable to them, whilst still maintaining their control over the phone and it's user...

As it's known they put preasure on Microsoft to stop it making it's mobile devices OSs similarly locked down, I can only assume that their real interest is maintaining control, not user security.

Which takes us onwards into other questions which involve regulators and legislation[2] which in turn will mean not just higher prices, but other requirments that users realy don't want but that will please the SigInt agencies...

[1] If you look back on this blog there was a couple of threads about an idea from Andrew Huang and Ed Snowden on how to make a sufficiently small "test equipment glove" for an iPhone,

https://www.schneier.com/blog/archives/2016/07/detecting_when_.html

https://www.schneier.com/blog/archives/2017/09/a_hardware_priv.html

But to use it would firstly mean voiding the warranty and secondly being capable of making very fine wire soldering to a half dozen test points in the iPhone. So in all honesty a non-starter for all but a very tiny percentage of iPhone users. It also had another downside it was not "covert" that is anybody seeing the gloved phone would see it was markedly different.

[2] I've no objection to "honest regulation" it has been seen in the past to not just increase safety but also increase market competition. What I'm very much against is the "dishonest regulation" and legislation being pushed out currently to get at users privacy.

Clive RobinsonSeptember 10, 2018 4:54 AM

@ Wulf,

And so the wheel goes around...

Those at one point feel increasing pleasure those at another increasing pain.

But as things go around faster and faster, eventually it will fly apart or collapse under it's own weight.

And the only thing you can be certain of is those that created the problems will not be there to pick up the pieces or sweep up the bits... No they will have gone on to create other wheels of doom happily spinning their way into ever more non untanglable messes for the masses to curse and rant about.

echoSeptember 10, 2018 6:16 AM

https://edition.cnn.com/2018/09/09/opinions/i-was-arrested-for-what-i-believe-perabo/

"Piper Perabo is an actress known for her role as CIA agent Annie Walker in the TV series "Covert Affairs," for which she received a Golden Globe nomination in 2010. She has appeared in numerous films, including "Looper," "The Prestige," "Imagine Me and You," and her breakout role in "Coyote Ugly." Perabo is also a political activist and voice of advocacy for the International Rescue Committee. The opinions expressed in this commentary are solely those of the author. View more opinions on CNN."

(CNN)I got arrested last Tuesday, and it wasn't a scene in a movie.

Why don't we have this kind of excitement in the UK?

echoSeptember 10, 2018 6:36 AM

https://www.theguardian.com/uk-news/2018/sep/10/hillsborough-officer-pleads-not-guilty-manslaughter-charges-david-duckenfield

Duckenfield is charged with manslaughter by gross negligence in relation to 95 of the people who died. The maximum sentence for manslaughter by gross negligence is life in prison. ackrell is accused of being culpable for Sheffield Wednesday’s failure to agree with the police before the semi-final the arrangements and number of turnstiles for admitting Liverpool supporters into the Leppings Lane and north-west terraces, in contravention of the club’s safety certificate for Hillsborough. The second criminal charge accuses Mackrell of failing to take reasonable care for people’s health and safety under the 1974 Health and Safety at Work Act. The maximum sentence for the first charge is two years in prison; for the second, the maximum is an unlimited fine.

I've been bullied and gaslighted by the police a few times. On one occasion a police officer became demanding and wanted to know what the criminal offences were. I listed some which he abrubtly denied...

I have dealt with the police on other occasions where they have denied a criminal offence has occured and denied responsibility. On the first the police opinion was found to be unlawful and the government asserted the proper reading of the human rights act which had been misued by local governments, and later media confirmed the particular criminal issue was indeed the pokcies responsibility. On the second issue I gave the police the exact lines of statute and regulation which defined the criminal offence and the police still denied it was a criminal offence.

I was fairly sure health and safety at work law applied to some of the issues I was bringing to the attention of the police. I'm a bit hazy on whether I knew they could come within the remit of criminal law or not. I think so but it's been a while. This is another area of law from my experience the police will avoid if they can get away with it.

UK cops aren't only ignorant but peddle ignorance too leaving citizens without professional legal advice feeling beaten up or in some cases leave them being actively misled. This wouldn't be so bad but when allegations involve abuse and discrimination by people with a duty of care this only adds to the feeling that the state doesn't care or in some instances condones it.

JG4September 10, 2018 8:08 AM


Thanks for the ever-helpful discussion. Great picture of Bruce in the first article.

https://www.nakedcapitalism.com/2018/09/links-9-10-18.html

...

For safety’s sake, we must slow innovation in internet-connected things MIT Technology Review

...

Space: Another frontier for the US-Russian rivalry CNN (The Rev Kev)

...

Big Brother IS Watching You Watch

ARE NEW YORK’S FREE LINKNYC INTERNET KIOSKS TRACKING YOUR MOVEMENTS? The Intercept

At Stake in Lawsuit: What Can Bosses Access on Your Personal Devices? WSJ

...

HmmSeptember 10, 2018 11:31 AM

Rules for thee but none for me.

President Donald Trump’s administration will announce a new hard-line stance toward the International Criminal Court on Monday, in response to the court's proposed investigation of alleged war crimes committed by U.S. troops in Afghanistan.

Trump’s National Security Adviser John Bolton will outline the White House’s new approach to the ICC at a meeting of the Federalist Society, an organization of conservative lawyers, in Washington, D.C., on Monday.

According to a draft of Bolton’s speech seen by Reuters, Bolton will assure the audience that America “will use any means necessary to protect our citizens and those of our allies from unjust prosecution by this illegitimate court.”

https://www.newsweek.com/stop-investigating-american-war-crimes-trump-administration-will-tell-1113363

ScaredSeptember 10, 2018 12:25 PM

@echo (From Guardian)

"If GRU agents had wanted to target Skripal, they would have done it “quietly, without fuss, and brought him [to Russia] in a mail bag, and no one would have known where he had gone,” Ivan Tarasov told Russia’s Komsomolskaya Pravda newspaper.
Tarasov also claimed the Skripals could have been targeted by a Russian crime gang, possibly over unpaid debts, and mocked reports that the suspects stayed in the same room in a cheap hotel near Salisbury. “That’s how bandits act, not professional secret service officers. GRU officers don’t stay in London hotels,” he said.
The purported ex-GRU officer also suggested that the suspects could have used novichok in a bid to confuse British investigators by pointing the finger of blame at the Kremlin."

All the (- to Joe Sixpack -) obvious clues pointing to Russia makes the whole story suspect in my opinion. It was quite inconvenient for Putin to have his buddy in the WH forced to agree to imposing sanctions because of the public uproar.

MarkHSeptember 10, 2018 4:11 PM

@Clive:

"enumeration of individuals used to be an indicator of financial crime was heading their way" ...

... or in some cases (though presumably not this one), financial law enforcement.

Years ago, when BitCoin first gained traction (for its star application domain, the facilitation of crime), I heard that in the USA, federal prosecutors had taken to calling BitCoins "prosecution futures" (in analogy to commodity futures).

HmmSeptember 10, 2018 4:52 PM

"It would appear that people are after the personal details of BitCoin holders/traders..."

And their favorite teacher, first car, pets name and favorite book. What an odd biographic query!

I'm sure it's just journalistic thoroughness.


NikolajSeptember 10, 2018 5:29 PM

Exploit vendor drops Tor Browser zero-day on Twitter

A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable.

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.

In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

TatütataSeptember 10, 2018 7:15 PM

Thirdly the field intensity in free space drops off at the square of the distance or "1/(r^2)" so you would have to be very close to the antenna which is usually quite unlikely.

Moreover, this r^(-2) relationship is only valid in the far field. Simplifying outrageously, the field strength roughly plateaus in the region 0..(2*D^/lambda), where D is the aperture dimension, and lambda the wavelength.

Current VSATs operate in the uplink at Ku Band (~14Ghz), or at Ka Band (~28GHz), which respectively work out to wavelengths of ~2cm and 1cm.

The diameter of the dish illustrated in the article seems seems to be of the order of 60-80cm. The resulting far field boundary is in the dozens of meters.

A typical power for a Ka or Ku end-user VSAT terminal expressed in watts is lowish to medium single digit number, with little margin to spare, as these are rather expensive. A microwave oven is 100+ times more powerful, and its RF energy bounces around the cavity until it is either absorbed by the chicken or reflected back to the magnetron.

I wouldn't worry too much as far as the field strength of the VSAT antenna is concerned, even for electrical systems, although I wouldn't press my eyes on the feedhorn. It is however possible to engineer a system that focuses power at a given distance, but a VSAT terminal couldn't be made to do that by software. (BTW, I'm rather skeptical about Cubans building a microwave weapon which wouldn't have been otherwise detected, when there are much easier ways to harrass people. And that doesn't seem to be in their interest.)

I tried to find references or calculations for the ominous insinuations of the researcher, in vain.

I might know a little bit about what I'm blithering about, I designed antennas and RF power amplifiers in a previous life, and I even know approximately from which extremity a soldering iron should be grabbed, and I even have the scars to prove it.

However, if the VSAT terminals can be hacked as it is claimed, I think that it is plausible to recruit a number of these to effect a type of DDoS attack on the bird, with all of them transmitting simultaneously and jamming the transponder.

About the article with the Russian bird allegedly loitering about a French one, I gain no information from the article about what this might be about, and what one might actually gain from that which couldn't be gathered from the ground. Satellites must fulfill entire shelves of specifications, and a well designed spy satellite would surely avoid inadvertently radiating red intelligence. Active measures were perhaps employed? E.g: pointing a laser into a phographic reconnaissance satellite when sensitive territory is overflown?

For the Skripal accusations, John LeCarré's "Smiley's People" comes to mind, where the use of a spectacular murder method was supposed to intimidate others, "pour l'exemple". Polonium, novichok, ricin, dioxin, etc., that's too many exotic MOs for your mobster with the gold dental work, when a rusty old Makarov will do.

echoSeptember 10, 2018 8:12 PM

@Scared

You're quoting a reader comment below a Gaurdian article. I am keeping an open mind on everything.

I can say wild things too and have but at least have stories published soon after which corroborate the main allegations. In the main I find the media on some stories to reflect with equal measure the blindness of the state. This happens when newspapers only listen to officials and rich people. Low level but disasterous abuses of power out of sight of management accountability and external scrutiny are essentially routine and normalised. In some cases it is management driving the issue. Persistence by management can be flipped by managment into ministerial level authorisation.

As an example consider the unreasonable and discriminatory treatment of fat people by healthcare. When it became publicly known the standard pathway was inadequate and enhanced discriminatory attitudes there was an outcry. This produced a change in policy. After some time had passed another healthcareauthority used their budget crisis to revist this issue and pressure the health minister for authorisation to make an exception. The health minister signed this off. Healthcare now has an excuse to go back to the old unreasonable and discriminatory policy.

Nobody especially cares nor can they see the connection. What is important is to gather evidence on how the system works in reality. The reality isn't always what the policy or PR claims. Sometimes on a second or third reading you can see this. Sometimes you have to drill through policy layers and read around indirectly relevant but none obvious policies. Neither a lawyer nor judge nor journalist will do this unless it's a very high profile case and there is a lot of status or money in it for someone.

The UK can be a very harsh and cruel country away from scrutiny. The UK has ways of killing "undesirables". Death by cold and neglect are one method. The extreme right is known to have infiltrated the legimate system and will use the exact same methods as incompetent and surly staff to achieve different and much more conciously organised ends. Who is to say Russia doesn't have the same problem?

"The UK isn't executing the old and poor nor are the police sexually harassing and abusing inconvenient women blowing the whistle."

"Russia is not executing the politically inconvenient nor is misogynistically executing women who achieve influence."

WeatherSeptember 10, 2018 11:59 PM

Tatutata
I thought Sat used 1.4 or 2.4mhz,could be old or different uses.
About the poisoning even mobsters pick up opsec and tactics from other groups more so from something that can do them damage, some of those things on the list would probably be easy to get in parts of countries.
Sat cameras have filter's to block the sun,I doubt a laser would do much,and using it over secure areas just highlight what areas to check even if its one hundred thousand

echoSeptember 11, 2018 12:22 AM

https://www.independent.co.uk/news/uk/home-news/girl-guides-army-uk-british-sponsorship-partnership-recruitment-a8531456.html

The Girl Guides have struck a sponsorship deal with the British army, prompting criticism from pacifists who called the move a “backwards step”. Critics said the decision undermined the organisation’s ethos and expressed concern that Girlguiding UK would encourage impressionable children to join the armed forces. Under the deal, girls as young as four will complete courses designed by the army to develop their leadership skills. The armed forces will also host stalls at national Girlguiding events and run activity evenings.

You don't need to be a pacifist to query this! I perceive this as no different to institional brainwashing and shops selling padded bras for 12 year old girls. Neither the army nor army marketing need to be involved.

This is a hugely difficult area of public policy. Many female academics who have published on women and girls psychological development and equality are themselves sidelined in areas like gender studies because this was the only avenue historically available for advancement. This is beginning to change but it will be the next generation of women who benefit from this. Legacy issues are still an issue with public policy including schools who under financial and social pressures too easily fall back to a pre-WWII model which instititionalises rote learning and conformity. Looking forward I am really concerned that a lack of expertise with developing public policy will over the next 10-20 years plus increasingly masculinise the environment without any change in public policy or social structures to compensate whether it's continuing income inequality or the downgrading of health and welfare and home and family and similar, with recuperative therapies and rehabilitation not even on the agenda.

Imagine the howling if the boot was on the other foot. What if The Fawcett society sponsored baby nappy changing and Mothercare stalls at military shows and promised the young male cadets attending they would receive a 40% pay cut compared to women when they entered the workforce?

Clive RobinsonSeptember 11, 2018 12:26 AM

@ Tatütata,

Moreover, this r^(-2) relationship is only valid in the far field...

I used to give all the equations etc but people started to tell me off about the length of my posts, so I stopped doing it to the same degree...

As for the powers you quote, yup that's the usuall commercial solid state levels. However for some reason --you can probably guess-- military kit still uses 40W Travelling Wave Tubes or solid state equivalent.

But as you probably also know the near field is likely not an issue with rouge software behaviour. Because all the civi equipment with auto stear I've played with or seen sits under a radome for normal operation. With the radome usually having more clearence than the near field zone, and I'm assuming because of the dish profiles and mounting structures the same is true for military kit.

So "we are agreed" though, this story is at the very least "being over egged" by either the journalist or the researcher.

Oh have you found out the hard way that RF Burn scars stay with you for decades whilst soldering iron scars tend to be a week or two at the most?

As for the Salisbury Nerve agent attack I'm still assuming that it was a "warning to all" type mission with sufficient deniability built in for avoiding certain issues. Thus the assumption from the get go was the field agents would be found by the UK's CCTV network but not for atleast a few days so a "quick in and out" operation with minimum support[1]. With it being the last overseas "field mission" for those involved. The advantage of the UK CCTV network came to light with the 7/7 bombers. The authorities eventually had CCTV footage of them from virtually their front door, down half the country and right up to the time of self immolation. So it's something any half way awake intel entity would be aware of. I'm not ruling out "rouge" or "criminal" attacks as Russia does have significant crime bosses etc, but that just makes things easier for various Russian Government Entities as it alows not just deniability but sufficient "arms length" contractors. However as I've said a few times "We will have to wait on the evidence that comes into the public domain" before we can do much more than speculate. Though there is still a question hanging about around 20 other untimely deaths of prominent Russian's in the UK...

Oh one last thing you've probably seen the Sqrt(-1) conversation on another thread, with @Wael bemoning the lack of equation mark up... I tend to go for the 1/(x^2) type display over the x^(-2) simply because I think it looks clearer to most people. It would be interesting to hear other peoples views on it.

[1] Often when a state sanctioned termination takes place a quite large number of personnel are involved with upto four teams of four people for around the clock availability pluss all the field support teams for them so upto fourty people can go out into the field at various points. The assumed Mossad hit in the Middle East turned up a fair chunk of the likely numbers involved, and the authorities probably have CCTV footage of other team members as well.

ThothSeptember 11, 2018 1:06 AM

@Clive Robinson, all

Hex-Five tries to implement an ARM TZ based TEEs for RISC-V with a nice dash of patents and a spoonful of NDAs for the RISC-V environment.

As I predicted, RISC-V with all its good intentions of being open and verifiable when it started will eventually fall.

The fall have long began and it only just started to get even juicier.

Now do we have all that openness RISC-V promised ?

I doubt so. Market pressure, patents and so forth will eventually force it down the same path as the rest of the pack.

More blackbox snake oil brewing with this MultiZone TM TEE TM R and all that symbols, patents and mind boggling, huge security holes and also last but most importantn a gift that simply never stops giving in the name of snake oil "Security" by the means of embedding more blackboxes.

It will eventually be no different than other Intel/AMD/ARM with lots of gifts waiting for discovery and exploitations.

Back to C-&-P as the only way forward.

Link:
- https://www.theregister.co.uk/2018/09/10/sifive_hex_five_riscv_secure_environment/
- https://hex-five.com

Wesley ParishSeptember 11, 2018 5:16 AM

@Hmm

Rules for thee but none for me.

I prefer my formulation:

Vheratsho On the Rooftop
https://pandora.nla.gov.au/pan/10063/20070101-0000/www.antisf.com/stories/story06.html

They talk like predators, but cower like prey.

Just you wait until someone uses white phosphorus on US troop concentrations using the same excuse that the US Marines etc used in Fallujah. Or napalms a US military base, or feeds tear gas into a US military base central heating system - everything that can be justified on US military past behaviour and military law experts. And justified on the grounds that the US military justified such behaviour on various legal grounds, such as ... and such and such, and ....

You will never hear the end of it. Until the end of time you will still hear the last surviving citizens of the US, survivors of the Nth US Civil War whining about the enemy's base treachery in using xyandz weapons against the US military, when the US military had shown how much it cared for its enemies in the caaring way it used xyandz weapons on them ...

echoSeptember 11, 2018 6:04 AM

This commentary and Twitter thread area good examination of the issues of power and expression, and rules being applied unfairly. This isn't a technical security issue in the strictest computer hardware and software sense but certainly technical and security orientated within their specialities and security orientated public policy.

I could cross reference some of the content with academic papers and five yearsplus of media coverage but it's a lot of work. It's been personally frustrating for a long time that a lot of the content hasn't been discussed or taught in the mainstream. Sometimes just bringing the subject up even with other women gets the boggle eyed look. I think people including many men do want to understand like many women want to achieve.Hopefully this and future commentary will help expand discussion and fill in the blanks and make clearer sense from a public policy perspective.

https://www.theguardian.com/lifeandstyle/2018/sep/11/serena-williams-angry-soraya-chemaly-women-should-unleash-rage

https://twitter.com/Knightcartoons/status/1039017329030393856

@Wesley Parish

This kind of behaviour makes a mockery of international law. It is also very dangerous as you suggest.

CallMeLateForSupperSeptember 11, 2018 10:43 AM

JavaScript still screwing unwitting netizens.

"As many as 38,000 British Airways customers may have had their contact and financial
information stolen in the breach, which evidence suggests was the result of malicious
==>> JavaScript [emphasis mine]

Why is JavaScript still ENabled in your browser? Spare me the tired excuse, "Because DISabling it breaks so much of the web".

@Clive, what do you have to say for your national airline? ;-)

Clive RobinsonSeptember 11, 2018 12:32 PM

@ CallMeLate...,

@Clive, what do you have to say for your national airline? ;-)

You've read the blog posting guidlines so, you know there are a lot of words I can not use ;-)

Lets just say their reputation bumps along...

I used to know some one who worked in their IT Dept when they were stealing Virgin Atlantic customers, and they found the morals of managment to be low to the point they created a significant depression.

They used to have a markwting tag line of "Fly the Flag..." to which many had added "... And lose a bag" or similar.

The one thing I did discover about flying was to split your carriers that is always fly the "flag carrier for where you are landing" as they get priority come bad weather or other problems.

Oh another trick about flights is the price from the airline goes up the closer to the fight time. But the price for city breaks drops the nearer you get to flight time. Thus sometimes you get a cheaper deal and a hotel for free, which is great if you are visiting a lady friend abroad, or you want to spend a little time looking around over and above your business trip. Oh of course it's also a lot cheaper to fly for the weekend pluss a couple of days, fly out and back in the same working week and you will get stuffed on flight costs. Fly out in one week have the weekend in a hotel and fly back the next week and if you don't mind the accomadation you stay in you get the weekend for free...

As far as I'm concerned all the airlines, the airports they use and the government of the airport see people flying as "cash cows" thus I'm quite glad I'm nolonger alowed to fly. Anyway train and boat when you can aford it is so much better ;-)

Clive RobinsonSeptember 11, 2018 2:49 PM

@ Bruce and the usual suspects,

This week appears to be turning into a bad news week around digital currency,

Apparently the Marshal Islands decided to have a second currency as well as the US Dollar.

It turns out the International Monetary Fund think this is a very bad idea.

https://www.bbc.com/news/technology-45485685

hack the plan E.T.September 11, 2018 3:45 PM

@Nikolaj

>Exploit vendor drops Tor Browser zero-day on Twitter

NoScript Dev (Giorgio Maone) Replies To Article/News

https://tech.slashdot.org/comments.pl?sid=12595462&cid=57288702
https://slashdot.org/~Giorgio+Maone

"The NoScript dev -- not "devs" ;) -- here.

Thank you for your commentary, which is quite to the point except for two details which I'd like to set straight:

The existence of this vulnerability, let alone its nature, has never been disclosed neither to me or the Tor Browser team. The very first hint I had about it has been this tweet by the ZDNet reporter, sent about one later than Zerodium's one, and noticed even later.
Based exclusively on that Zerodium's tweet (not a proper bug report, just a innuendo without even a link to a live PoC), the "NoScript team" (just me, actually) scrambled to create a reproducible test-case, dig in NoScript 5 "Classic"'s code base which had not been touched for months*, find the bug, fix it, test the patch, package two new versions (one for the beta autoupdate channel, one for the stable one) and deploy them both in quite less than one hour, real-time while been interviewed by the journalist. In the old days, when I had my own garage bands, our typical rehearsals were much longer -- and pleasant ;)

* NoScript 10 "Quantum" has been the main branch and the only I focused on since December 2017: it's a complete rewrite and was born unaffected by this bug. NoScript 5 has been kept around so far for the Tor Browser and the others based on Firefox ESR 52, like Palemoon.

I'd like also to add that NoScript 10's code, is much simpler, leaner and easier to understand / maintain, and has got a lot more "friendly" eyeballs reviewing it for possible flaws. Therefore I'm quite confident something like this wouldn't go unnoticed that easily. Anyway, I vow to keep fixing whatever security bug is found (either cooperatively or in a hostile and disturbing way, like in this case) as fast as humanly possible, and even a bit faster, like I always did :)"

margotSeptember 11, 2018 3:59 PM

The Military Now Has Tooth Mics For Invisible, Hands-Free Radio Calls

"Dubbed the Molar Mic, it’s a small device that clips to your back teeth. The device is both microphone and “speaker,” allowing the wearer to transmit without any conspicuous external microphone and receive with no visible headset or earpiece. Incoming sound is transmitted through the wearer’s bone matter in the jaw and skull to the auditory nerves; outgoing sound is sent to a radio transmitter on the neck, and sent to another radio unit that can be concealed on the operator. From there, the signal can be sent anywhere."

"The Molar Mic connects to its transmitter via near-field magnetic induction. It’s similar to Bluetooth, encryptable, but more difficult to detect and able to pass through water.

Sonitus received early funding from In-Q-Tel, the nonprofit investment arm of the CIA, to develop the concept. Hadrovic declined to say whether CIA operatives had used the device in intelligence gathering. But the Molar Mic has seen the dust of Afghanistan and even played a role in rescue operations in the United States."

Clive RobinsonSeptember 11, 2018 4:10 PM

@ Bruce and the usual suspects,

Yesterday Zerodium, a company that trades vulnerabilities in commodity and Open Source software, droped details about a zero-day vulnerability in the Tor Browser via Twitter...

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

Apparently the vulnerability is in NoScript extension and is a "full bypass of the "Safest" security level"

NoScript is included by default in a number of Firefox distributions including all Tor Browser distributions. But according to the NoScript extension author Giorgio Maone, the problem that caused the zero-day was from a workaround for the Tor browser JSON viewer. However due to a change in the code base used the zero day does not effect the most recent 8.x branch of the Tor Browser released last week.

Giorgio has said that the bug goes back to 11th May 2017 with the release of NoScript 5.0.4. He has also released a NoScript update 5.1.8.7 which fixes the issue in NoScript.

Apparently Zerodium have a large number of other attack vectors against the Tor Browser from a bug-bounty they ran in Dec 2017.

So Zerodium are indicating that the Tor Browser even in it's latest version is most likely to still have attack vectors...

Which is hardly supprising for various well known reasons.

But as I've indicated a few times before Tor it's self is architecturally wrong to be secure these days. So don't use it for anything that could get you, killed, jailed, loose your job, or cause you significant embarrassment if it became known.

Fill in the blankSeptember 11, 2018 4:31 PM

@ Clive Robinson:

"But as I've indicated a few times before Tor it's self is architecturally wrong to be secure these days."

I feel the problem is with Tor Browser and NoScript, not [entirely] Tor. One can disable JavaScript within Tor Browser's about:config, but it's still based on Firefox [ESR].

IIRC you can choose other browsers which support Tor, and maybe even a few which do not include JavaScript capability.

You can use a lot of applications with Tor apart from web browsers, too, for various tasks. Browser extensions, like NoScript, may feel useful, but I believe every one of them is just adding another layer of unneeded complexity and painting a larger attack surface.

TatütataSeptember 11, 2018 6:01 PM

So don't use it for anything that could get you, killed, jailed, loose your job, or cause you significant embarrassment if it became known.

I run a Tor intermediate relay, out of curiosity.

The main side effect is that it occasionally gets me kicked out of web sites, about once or twice a week. A message about my IP address being a proxy, or more explicitly, accusing me of the crime of running a Tor node, is thrown in my face. Strange thing, it is neither an entry or an exit node, so why the hostility?

To my surprise, according to statistics, if I understand correctly, about 1/8000 of Tor traffic goes through my node, suggesting that it isn't a very large system.

echoSeptember 11, 2018 8:44 PM

https://www.theguardian.com/uk-news/2018/sep/12/two-police-officers-disciplined-alice-ruggles-murder-case

“Sadly, police response to stalking has been shown to be inadequate in almost every area of the country and Alice’s experience is not unique. It is vital that police and all areas of society take notice of this report,” they said.

This kind of incident is not a one off. I won't tell the whole lurid story of UK police ineptitude which turned into harassment and bullying and sexual harassment and physical assault by police officers and God knows what else. This is what happens when dealing with an organisation where staff do not listen or consult or read up even when specifically informed of what they need to act with competence. My experience of UK is they are ignorant and lazy thugs and threatening and abusive.

Polcie behaviour and attitudes affects some people and cases very badly. In public the police put on the act and say people should come forward. As things turned out within the specific category of the complaint I wanted to bring to the police for action the had received zero complaints. After my experience the police wonder why? I was kicking up such a stink the police behind my back without telling me arranged a community meeting with a local social group (not support group) as window dressing to "prove" they weren't discriminatory. The polcie have also re-issued public statements about wanting people like myself experiencing hate crimes to come forward. The media articles which cover this also go on to explain the communities suspcions about the police because too many people know what the polcie are like in practice and members of the community coming forward remain close to zero or zero.

UK police have a real ignorance and arrogance about their own job especially if it affects discrimination. They just don't listen and everything turns into a canteen culture driven by aggressive know it alls and passing the buck. When the police control room was read the riot act? Instead of having a clue they become even worse in my eperience because they double and triple down on demands to fit box ticks on a computer screeen instead of listening and learning and displaying skill in the light of new relevant information.

I cannot be the only person mistreated like this and this report highlights one incident likely only investigated because a person died. Like I told the police more than once I would rather they pay attention now because I don't want to be on the wrong side of a public enquiry. They are too thick to even understand this.

Like a lot of public officials I believe police are so used to being nosey and telling people what to do and acting in a very ignorant way where they won't double check policy or guidelines, or their own duties and obligations, or even make one single phone call to an acknowledged external authority when their handling of issues is in question they actively create a bigger disaster which sucks in more resources and does more harm than if they had paid attention the first time.

When macho police only listen to each other and their "mates" beause they are hiding behind their "status" and cannot stand the though the affected person in front of them is more expert than them and the police want to keep everything "secret" and not involved outside authorites and experts and community representatives, or as in the extreme example of dragging me off to a side corridor so they could avoid witnesses and refuse to contact HQ then slam me into a wall, my feeling is the police are thinking with their dicks. Police behaviour is no different from a street mugger or rapist. They want to own and dominate and possess and atthis point they stop protecting the public and cross over the line of being mysogynistic and become a force attacking the public without consent. This has to be gross negligence atthe minimum.

HmmSeptember 12, 2018 12:08 AM

@Tatu

"To my surprise, according to statistics, if I understand correctly, about 1/8000 of Tor traffic goes through my node, suggesting that it isn't a very large system."

You're right. It isn't. That alone has major implications for actual anonymity.

"Strange thing, it is neither an entry or an exit node, so why the hostility?"

They don't know what "you" do, but they know you're a blind relay for a-holes.
Exit nodes get even more attention. All of it managed by bridge authorities.
Guess who runs the bridge authorities? Not you!

"They" have node networks, can probably unmask you via timing attacks alone.
That's even if you've got perfect encryption methodologies.

Of course, anything you actually browse to can exploit and identify that way.
"They" are pretty good at that also.

Then consider they have a mandate to de-anonymize everything, TOR being a big wart 5 years ago.
They've got backdoors in ISP's, they've got ME's on-die, they've got entire protocols weakened.

Now consider they invented TOR, and it was designed for a time when nobody knew about it at all.
You're a blind relay between a-holes and serious eyeballs with resources. Nothing to worry about!


Clive RobinsonSeptember 12, 2018 12:12 AM

@ Fill in the blank,

I feel the problem is with Tor Browser and NoScript,

The problem in the case of this vulnerability only is that somebody modified NoScript to alow a Tor Browser specific item to run in the Firefox browser (JSON viewer[0]).

However that does not change the fact that Tor is architecturally wrong to be secure these days.

If you want to know why either search back in this blog or wait till next Friday and ask on this thread when it has quietened down as it tends to be a long conversation going through it.

@ Tatütata,

I run a Tor intermediate relay, out of curiosity. ... ... Strange thing, it is neither an entry or an exit node, so why the hostility?

Because FUD has tarred you with alleged illegal activity in an adverse way.

Like any place where enough humans gather, economic theory says "markets will be established". And based on US prison statistics where a little more than 1 person in 140 is in jail, when you make adjustments for jail terms in eligable populations and a few other things you have something like a 50:50 chance of a criminal being in any group of five or above.

Thus on --misused-- probability alone you would expect around 1 in 5 of both Internet and Tor users to be engaged in illegal activities, that represent some fraction of their online activities[1].

But... the further assumption is that as criminals like to keep their criminal acts annonymous or secret then an anonymity system must be used by them on prefrence to other methods of communications, thus you get claims of "most" or "substantial" and other weasle words used when it comes to Tor and other anonymity networks.

One classic in this is "Dark Net" which originally ment that part of the Internet NOT indexed by the big search engines, which was by far the greater part... Many assume from "dark" it must be illegal activity...

It's a viewpoint that many Government entities are keen to encourage as it makes their life simpler...

Thus in quite a few peoples minds being actively part of Tor means you are either a criminal or "aiding and abetting" a criminal[3].

Thus you are assumed guilty of a criminal act and thus shuned as a criminal by those who care more about their perceived position than their actual position in the scheme of life.

It is the same as village gossip where somebody says you are bad every time your name is mentioned simply because you don't have net curtains, or some other meaningless "virtue" or more likely you don't give them the status the think they are entitled to or you wear green or some such. They work on the theory if they say it often enough then everyone will come to believe it, sadly in villages that is all to often true[4]. Thus having your IP address on a list of Tor addresses is in their eyes damming because they see you as carrying the mark of Cain or the Devil, thus you must not be alowed to cross the threshold and told so. If they could they would hang the Internet equivalent of a Scarlet Letter on you, as that would in their eyes be better than burning you at the stake...

Yes it's another modern day form of bigotry. But petty, venal, and small minded behaviours unfortunatly never go out of favour in human societies. Especially when those who are paternalistic, self righteous, or on a mission get the notion "to put you right for your own sake", because in their mind they could never be wrong... It's actually the same behaviour that gives rise to all the ills of vigilantism, racism and discrimination.

[0] Why on earth people who lock out JavaScript should want to alow JSON I realy do not know. The excuse for JSONs existance is "better statefull web browsing" which is not what the web was designed for. Thus like all extensions it carries functional overloading baggage, and some of that is always going to be security vulnerabilities, due to the nature of what functional overloading does.

[1] Part of the FUD is to say that if 20% are criminals then 20% of traffic must be illegal activities it's a false assumption. Because if you look at real life, even the most prolific of street criminals only spend a fraction of their time when walking on the streets committing criminal acts. Because even they have to do the normal acts of living like shopping and socialising as nobody is "100% on the job" all their waking moments as "that way madness lies"[2].

[2] From Shakespeare's King Lear, a quote now so common that few who use it know it's even a quote let alone it's origin.

[3] Aiding and abetting is a rather suspect legal doctrine, but slightly over simply you are guilty by association. Where you not the prosecution carry the burden of proof. It's just one of the reasons we have "common carrier" status for major communications entities, but not "the little people"...

[4] As such spoken behaviour is rarely recorded in history, you have to look at the anonymous writters of "poisond-pen letters" to individuals and "green-ink letters" to those in authority or media.

NameSeptember 12, 2018 2:35 AM

"Thus having your IP address on a list of Tor addresses is in their eyes damming because they see you as carrying the mark of Cain or the Devil, thus you must not be alowed to cross the threshold and told so. If they could they would hang the Internet equivalent of a Scarlet Letter on you, as that would in their eyes be better than burning you at the stake..."

From Ancient Greek δρᾶμα (drâma, “an act, a theatrical act, a play”)


Keeping unknown people outside is standard policy in most homes and offices.
Guy with the same mask as guy who robbed the bank last week isn't allowed in the bank.

Not quite "bigotry" even if it is based on old information. TOR is a blind relay.
They have no way of defeating that. So, they ban the relay. Problem solved at cost.

It's not like they're going to say "obvious masks are now allowed in the bank" that's just silly.
Sometimes it's actually not a demonic conspiracy.

Clive RobinsonSeptember 12, 2018 4:32 AM

What security matters most to you?

It's a question that all people in the White Anglo Saxon Protestant (WASP) nations should ask themselves every day.

If you were realy honest with yourself you would not give the glib answers most do but actually think how about it, then ask you self how you would stop the effects of that security going wrong on you and those you know.

In that light this article by Matthew Desmond 2017 Pulitzer Prize winner for general nonfiction, should be on your fairly urgent reading list,

https://www.nytimes.com/2018/09/11/magazine/americans-jobs-poverty-homeless.html

Whilst it is US based the attitudes that caused it are becoming more obvious in the north of the EU. Put simply it's a formular to make the 1% get more than 99% of assets, and it's a slight variation of what alledgedly came from Northern Europe via the early settlers as The Protestant Work Ethic.

Clive RobinsonSeptember 12, 2018 6:13 AM

@ Bruce and the usual suspects,

Yet more crypto currancy / blockchain madness,

https://www.telegraph.co.uk/business/business-reporter/blockchain-trial-in-healthcare/

And from a privacy point of view quite worrying. The block chain can only provide a limited level of imutability of records at best with public ledgers not other forms of security...

With most regulatory bodies regarding crypto currencies as vehicles for risky speculative investment only (which the BitCoin value fluctuations tends to confirm). Do you realy want your Drs finances to be high on the hog today and down with the church mouse tomorrow or worse still compleatly spirited away over night because somebody hacked their exchange...

D-503September 12, 2018 8:18 AM

@Name: "obvious masks not allowed in the bank"
is a misleading analogy.
A more accurate analogy is requiring everyone who comes within 50 yards of a bank to provide fingerprints and an ID with home address. There are of course facilities that do this, but I don't know of any retail banks that would do that*.
Given the amount of info that can be linked to a person's IP address, maybe a body cavity search is a more accurate analogy.
I don't have any solutions, I just wanted to point out that the "collect it all" mentality isn't usually motivated by security.

*Some retail banks do require an ID card for entry or have security guards individually check each customer out before letting them in, but that's only in countries where extreme poverty is the norm.

VinnyGSeptember 12, 2018 9:04 AM

@clive robinson re:"Thus you are assumed guilty of a criminal act and thus shuned as a criminal by those who care more about their perceived position than their actual position in the scheme of life."
There seems to be quite a few posters here with similar mindset...

NameSeptember 12, 2018 10:31 AM

"A more accurate analogy is requiring everyone who comes within 50 yards of a bank to provide fingerprints and an ID with home address."

Not really, no. Blocking TOR is blocking masks, not positively identifying anyone really.

vas pupSeptember 12, 2018 12:40 PM

The European Parliament has passed a resolution calling for an international ban on so-called killer robots:
https://www.bbc.com/news/technology-45497617

"Autonomous weapons systems must be banned internationally," said Bodil Valero, security policy spokeswoman for the EU Parliament's Greens/EFA Group.

"The power to decide over life and death should never be taken out of human hands and given to machines."

The resolution comes ahead of negotiations scheduled at the United Nations in November, where it is hoped an agreement on an international ban can be reached.

But some countries - including Israel, Russia, South Korea and the US - opposed new measures at the August meeting, saying that they wanted to explore potential "advantages" from autonomous weapons systems."

Clive RobinsonSeptember 12, 2018 3:14 PM

Remember Maxwell's little demon?

He first appeared in 1867 and in the past hundred and fifty years he has popped up occasionaly. But more frequently of late when it was realised it did not in fact contravene the Second Law of Thermodynamics.

It was a thought experiment thought up by James Clark Maxwell that hypothesized a way to reduce entropy in a closed chamber[1]. Oh and with that entropy "noise" as well. Which kind of makes it of significant interest in quantum computers. Where the real issue is not how many qbits you can put on a chip but how you get that pesky noise down.

Some years ago people having realised that it might just be possible to do the experiment for real, tried it out but the results were not that impressive. Well late last year Prof. David Wiess at Penn State appears to have cracked it right open,

https://www.nature.com/articles/s41586-018-0458-7

http://science.psu.edu/news-and-events/2018-news/Weiss9-2018

Which is not good news for some...

But oh boy is realy bad news for others...

[1] https://en.m.wikipedia.org/wiki/Maxwell's_demon

ThothSeptember 12, 2018 5:48 PM

@Clive Robinson, all

Re: Post-Quantum

Don't worry, there is so much PQCrypto love going on and if my memory serves me right, TLS 1.3 already have some PQCrypto love and agility for algorithm going on.

There is lots of talk about Lamport signature and Hash-based Sigs with one leading example, Merkle's Winternitz algorithm.

Also note that even the IOTA cryptocurrency uses Winternitz PQC as their digital signature.

Oh wait ... was there some report that the IOTA members bashed and attacked security researchers regarding their problematic homebrewed hashing algorithm (not the digital signature) portion ?

That's the future for cryptography as some might say ....

ThothSeptember 12, 2018 5:58 PM

@Clive Robinson. all

Re: Blockchain & Cryptocurrency problems

Well, it simply just keeps getting better.

Weaker countries with broken economies (i.e. South America, Turkey ... et. al. ) are looking to use blockchain and cryptocurrencies to supplement their existing currency crisis in an attempt to create what they perceive as a more stable currency than pegging their already decimated currency against other real world currency which is as good as taking your own hands and overing your own eyes to pretend nothing happened.

The stronger countries would try to kill off blockchain and cryptocurrencies to ensure their currency's dominance over these cryptocurrencies.

Cryptocurrencies and blockchains are an interesting human as well as technological experiment that has already served its purpose and its about time to move on. The remaining of "value" for these cryptocurrencies would simply evaporate sooner or later and someday people will realize that storing all their records on blockchains are an interesting but not fully workable idea.

It is better and more efficient to do a replicated database backup with digital signatures than blockchain alone.

The interesting trend is that the mainstream industries are looking at blockchain only to store some sort of important records selectively (i.e. digital signature of a backup or some small but highly important information) as it is becoming apparent that blockchain sizes grows very rapidly and a huge blockchain is not easy to traverse or edit as it grows in size and the best bet is to keep it lightweight.

echoSeptember 12, 2018 10:16 PM

Unless anyone reading this has a good understanding of technique and processes they won't spot this is actually by design. You have to traverse a huge block of data to spot this plus resistence to change and essenitally defrauding people and gather enough evidence to justify a prosecution for corporate manslaughter. If the same security service "experts" deployed their skills to protect citizens from the state what would the conclusion be?

It is notable from recent drat legislation that the UK state does not consider human rights (or equality) when drafting legislation in contravention of citizens European Convention rights.

While pushing a forced leave of the EU the UK is also siding with the authoritarian regime in Hungary to prevent Article 7 being triggered against Hungary.

There is a logic to the UK state but it doesn't make sense from a first principles point of view.

https://www.theguardian.com/commentisfree/2018/sep/12/my-son-learning-disability-early-death
Recent inquests into the early and avoidable deaths of people with learning disabilities expose a catalogue of failures in understanding and communication with those people and their families; a refusal to listen, to act quickly, or to meet the most basic of needs. The pain of bereaved families has been exacerbated by a defensive attitude on the part of NHS trusts. This includes their endeavour to manage and contain negative publicity at the expense of a properly human response to deaths in their care, and a willingness to subject family members to hostile examination by their legal teams at inquests.

echoSeptember 13, 2018 5:39 AM

Yet more examples of incompetent and abusive power twisting the system to its own ends. If the government were engineers the bridge would have fallen down a long time ago. Some of the tat on EBay is better built than their excuses.

https://www.disabilitynewsservice.com/bill-on-mental-capacity-and-liberty-deprivation-will-take-disability-rights-backwards/

Disabled campaigners say the government must delay a controversial bill they believe would make it easier to restrict the freedom of people in care settings who lack capacity to make their own decisions.

https://www.theguardian.com/world/2018/sep/13/workplace-gender-discrimination-remains-rife-survey-finds

Gender discrimination in the workplace remains rife, with many young women experiencing sexual harassment, job insecurity and low pay compared with male peers, a survey has found.

https://www.theguardian.com/business/2018/sep/13/john-lewis-profits-dive-99-percent

The results prompted the UK’s Brexit secretary, Dominic Raab, to criticise businesses for blaming poor performance on Brexit, after John Lewis said uncertainty about the outcome of EU talks was partly to blame for the expectation that profits would be “substantially lower” than last year.

[...]

“All I’m gently saying it’s rather easy for a business to blame Brexit and the politicians rather than taking responsibility for their own situation.”

https://www.theguardian.com/uk-news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-rules

GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment.

echoSeptember 13, 2018 6:05 AM

I wonder if the proposed post-Brexit sanctiosn regime is really just a temper tantrum. Post Bretton Woods it was UK banks who actually broke the international banking system in the first place.

https://www.theguardian.com/news/2018/sep/07/the-real-goldfinger-the-london-banker-who-broke-the-world

Warburg’s new bond issue – these bonds became known as “eurobonds”, after the example set by eurodollars – was led by Ian Fraser, a Scottish war hero turned journalist turned banker. He and his colleague Peter Spira had to find ways to defang the taxes and controls designed to prevent hot money flowing across borders, and to find ways to pick and choose different aspects of different countries’ regulations for the various elements of their creation.

https://www.theguardian.com/uk-news/2018/sep/06/britain-says-brexit-will-open-door-to-tougher-russia-sanctions

The UK Foreign Office on Thursday formally admitted that loopholes in the EU sanction regime meant that in March the Russian VTB bank was excluded from EU sanctions even though it was the only bank involved in issuing eurobonds worth $4bn to finance Russian sovereign debt.

VTB Capital was an English-based subsidiary and as such was not designated under EU sanctions and so able to act as book runners for the sale of Russian state bonds.

CallMeLateForSupperSeptember 13, 2018 12:49 PM

Oh yeah.... I so want to abandon all three of my meticulously crafted passphrases and leave authentication to a wireless carrier. Not.

What, exactly, would this scheme authenticate? A person or a phone?

"U.S. Mobile Giants Want to be Your Online Identity"

"Tentatively dubbed 'Project Verify' and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites."

https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-your-online-identity/

Wesley ParishSeptember 14, 2018 5:12 AM

@moz

The FBI probably closed down the solar observatory because the scientists had discovered the FBI's secret stash of leaf. :) whatever size pinch of salt you take, bro, whatever size ...

More fun and games courtesy of ElReg:

Top Euro court: UK's former snooping regime breached human rights
https://www.theregister.co.uk/2018/09/13/human_rights_court_slams_ukgovs_snooping_regime/

The Reg takes the US government's insider threat training course
https://www.theregister.co.uk/2018/09/13/nittf_insider_threat_self_analysis/

Solid password practice on Capital One's site? Don't bank on it
https://www.theregister.co.uk/2018/09/13/capital_one_passwords_website/

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS
https://www.theregister.co.uk/2018/09/12/feedify_magecart_javascript_library_hacked/

And some from The Inquirer:

Cold boot attack puts Apple, Dell and Lenovo laptops at risk of data theft
https://www.theinquirer.net/inquirer/news/3062760/cold-boot-attack-leaves-apple-dell-and-lenovo-laptops-at-risk-of-data-theft

GCHQ's mass surveillance violates citizens' right to privacy, ECHR rules
https://www.theinquirer.net/inquirer/news/3062693/gchqs-mass-surveillance-violates-citizens-right-to-privacy-echr-rules

(The Inquirer's take on the same topic as above.)

Veeam left 445 million customer records on open AWS server
https://www.theinquirer.net/inquirer/news/3062611/veeam-left-445-million-customer-records-on-open-aws-server

(I think we can say that was a breach of faith on the part of Veeam.)

WeatherSeptember 14, 2018 5:25 AM

Moz
600-700km nouth north,west of area51 is in the mountain a mil base,second ridge, I wonder what they do there

bttbSeptember 14, 2018 5:28 AM

https://www.emptywheel.net and
from https://www.nytimes.com/2018/09/13/us/politics/manafort-plea-deal-prosecutors.html :

"Paul Manafort, President Trump’s former campaign chairman and one of Washington’s most prominent lobbyists, is close to a plea deal with federal prosecutors to avoid a trial scheduled for next week on charges stemming from work he did for pro-Russia political forces in Ukraine, people familiar with the case said on Thursday.

[...]

Mr. Manafort’s trial on the second set of charges is scheduled to get underway on Monday in United States District Court in Washington. A pretrial hearing, which had been postponed this week, is scheduled for Friday.

[...]

Prosecutors have been approaching the second trial much like the first: with a wealth of documentary evidence and a range of witnesses who worked with Mr. Manafort over the years. In pretrial filings, they listed 2,127 potential exhibits.

The defense was hoping to show that the special counsel had targeted Mr. Manafort because he had overseen Mr. Trump’s presidential campaign. But Judge Amy Berman Jackson of United States District Court for the District of Columbia had already signaled that the argument was out of bounds..."

bttbSeptember 14, 2018 6:15 AM

From Luppen, nycsouthpaw on twitter, https://www.yahoo.com/news/kavanaugh-contradicts-white-house-account-credit-card-debt-leaving-questions-234449883.html :

“…Many Americans have complicated financial situations. Nevertheless, we ask federal judges and judicial nominees to disclose their affairs sufficiently to show that there are no unknown conflicts of interest that could interfere with the judge’s ability to do their job. After months of questions about Kavanaugh’s [Supreme Court Nominee] personal financial situation, it remains nearly as murky as it was the day President Trump called him forward in the East Room.”

JG4September 14, 2018 7:16 AM


Thanks for the ever-helpful discussion. It would be fairly easy to run PGP on a C-v-P platform where the connection is heavily-filtered optical data diodes. And the energy-gapped processor is in a nice Faraday enclosure. I have a few designs for simple cheap ones.

My primary threat model is IP theft. A secondary threat model is all other aspects of attack surface, including various aspects of identity spoofing. Can't recall if it was posted here, but I saw that deep-fake video can now reproduce mannerisms.

https://www.nakedcapitalism.com/2018/09/links-9-14-18.html

...[I asked the gas company twice 10 years apart about automatic shut-off valves - no response]

Man killed, 12 injured after 70 gas explosions, fires rock Lawrence, Andover, North Andover WHDH

Google wants to get rid of URLs but doesn’t know what to use instead Ars Technica. This and AMP. Horrid.

Where in the World Is Larry Page? Bloomberg

Ig Nobel prizes honor do-it-yourself colonoscopies, a curious use for postage stamps, and other peculiar research Science

‘I Want to Burn Things to the Ground’ Chronicle of Higher Education. On the replicability crisis.

...

UK mass surveillance violates right to privacy, rules European court Deutsche Welle

...[sick-care crime cartel is a self-optimizing resource-extraction asset-stripping engine run by psychopaths]

Health Care

Prominent NYC hospitals making millions through captive insurance companies Modern Healthcare

...

Clive RobinsonSeptember 14, 2018 11:37 PM

@ Thoth,

That's the future for cryptography as some might say ....

Yup.

There is an old observation that is true that,

The only reason Neil Armstrong put a foot on the moon was because the US was seen to be failing yet again thus US politicians had to be seen to be doing something.

Much of mankinds progress is because those in power get embarrassed. It's an important point to remember in life.

On the crypto side of embarrassed we have the IEEE with WEP, and EVM with just about everything they've done since SET.

The reason these things fail is the "Make it So" managment attitude that the none to bright managers think makes them look decisive (Dunning-Krueger effect?). And those who realise it for what it is and due to no moral incumbency use it to their advantage...

Thus "quick and dirty" is what those who are more technically adept beneath them offer up to none to bright managers as a solution. Because as they realise that anything else will only harm their future as such managers absolutly abhor those who say "Do it right or don't do it" or even "Take the time to get it right". Those managers want solutions not problems today, not next quarter and the share holders want money today and care not a jot about loss tomorrow "because they are smart" to...

Which is why smarter people with no morals ensure two things. Firstly they make sure they never have "skin in the game", because secondly they never finish anything they start. Why? because they know,

    Finishing is for loosers, not winners.

It works like this, you propose and champion a "grand project" that will solve all of managments dreams and make share holders cream at the prospect of what will happen to the share price[1]. Knowing full well that the first third of any project shows only loss, you spend spend spend and keep the mantra going. Then at some point shortly there after you "cut and run", because you know it's the second third of a project where problems not seen in the original "grand idea" boomerang and if they can not be caught they are killers. You also know that the odds of catching them all is in inverse proportion to the "grandness" of the idea[4], so you do not want to be around to be the catcher as it has no upside.

The actual upside for you is you can put a grand project on your CV and milk it for all it's worth to get a new better job. Because you know that those you've left behind will do one of two things "succeed short" or "fail long".

That is if they catch all the problems the project will get beyond the point of delivery, thus is a succes. If they don't then managment to avoid embarrassment will spin it up for all they can, to keep shareholders on side. So they too can grab their bonuses and run befor the bus goes over the cliff.

Thus if that "grand idea" is anounced as a success you claim it because it was your idea and your leadership that set the course to success that those you left behind simply followed. If however it fails it is the fault of those you left behind for not following the course you set and thus running up against the rocks on which it foundered and sunk.

So either way by cutting and running you win, for those who don't all they have is the improbable option to draw or most likely loose.

So as I said "Finishing is for loosers, not winners".

And you win even better if you can find a usefull idiot to evangelize for you because they are the one in the public eye effectively "selling your fraud", thus can take the fall. Whilst you walk away and if ever challenged, you were at worst just another victim who suspected but could not prove before everybody else there was something wrong etc etc... Thus maintaining the impression you were still the smart one in the room.

[1] The entire purpose of the idea is to sound "Grand" reality is of no interest[2], in fact the further from reality it is the more likely it is to get senior managment and shareholder buy in and better still "new investor money"[3]. All you realy need is the ability to "Sell new clothes to an Emperor".

[2] The joy of leading edge technology like "blockchain" and "cryptocurrancy" is very few even the supposed experts know what it can do. So you can say it will solve any problem under the sun, all you need is a nice sounding but nonsense argument as to why it will. It's that "Evangelizing" aspect that you are selling, thus you must brook no argument any one who disagrees is "wrong wrong wrong" or "uneducated" or "lacking vision" or some other personal failing as to why they won't see the dream. You get to see this in crypto currency arguments all the time, and it's a fairly clear indicator somebodies rice bowl is full of snake oil. The question is who, the usefull idiot doing the evangelizing or the person behind them taking the gate money (and getting some aerobic excercise before the show is over ;-)

[3] Which is how "bubble markets" form, swell and burst. Because as someone once noted "A fool and their money are soon parted". Thus the real trick in investing is to be a "Hot potato merchant" you buy it in cold, heat it up real hot and pass it on before your fingers get burnt. The illegal version is "Pump and Dump" though where the legal / illegal line lies is a very very broad area open to much discussion and little action by authorities. Who lets face it are people who's benifits come from not understanding the illegal argument.

[4] It's the primary reason big ICT projects fail.

Clive RobinsonSeptember 15, 2018 3:00 PM

@ Bork Bork Bork,

OK so you read it and found one of probably several spelling mistakes. Fine, I'm not perfect, and the grammer could probably do with some polishing as well.

But... You could also have made comment about the content, atleast others would see you have a subject related POV. Rather than just people making an opinion about you on what is effectively an unrelated issue, no matter how much it might niggle.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.