Friday Squid Blogging: Eat Less Squid

The UK's Marine Conservation Society is urging people to eat less squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on October 12, 2018 at 4:01 PM • 110 Comments

Comments

PaOctober 12, 2018 4:50 PM

Spanish translation for "The Eternal Value of Privacy" is unavailable. Pls check, value of that fundamental essay is just too high to be unavailable to the 500MM Spanish speaking individuals around the world. Thanks. Freedom.Libertad.

InSecureOctober 12, 2018 5:56 PM

Easy DNA Identifications With Genealogy Databases Raise Privacy Concerns
https://www.npr.org/sections/health-shots/2018/10/11/656268742/easy-dna-identifications-with-genealogy-databases-raise-privacy-concerns

"In a paper published Thursday in the journal Science, the researchers projected that they could identify third cousins and more closely related relatives in more than 60 percent of people of European descent. (They chose this group because most people in their database have that ancestry.)...In another part of the study, the researchers went even further to see if they could do the same thing with other DNA databases. They were able to use their techniques to identify a supposedly anonymous woman whose DNA was stored in the 1,000 Genomes Project, a National Institutes of Health research database."

A MAP OF EVERY BUILDING IN AMERICA
https://www.nytimes.com/interactive/2018/10/12/us/map-of-every-building-in-the-united-states.html

Graduate Student Solves Quantum Verification Problem
https://www.quantamagazine.org/graduate-student-solves-quantum-verification-problem-20181008/

"Now, after eight years of graduate school, Mahadev has succeeded. She has come up with an interactive protocol by which users with no quantum powers of their own can nevertheless employ cryptography to put a harness on a quantum computer and drive it wherever they want, with the certainty that the quantum computer is following their orders...Using classical cryptography in the quantum realm is a “truly novel idea,"

Clive RobinsonOctober 12, 2018 7:25 PM

@ InSecure,

Graduate Student Solves Quantum Verification Problem

@echo posted this a few days ago, and I had a couple of reads through it. There's actually a lot to digest in the work and I can see some implications to it other than that which was desired.

MarkHOctober 13, 2018 3:04 AM

On Genetic Identification

To supplement @InSecure's comment above, here's another story (from wired.com).

Some thoughts:

1. There was some discussion here in recent months about indirect DNA identification, before this demonstration that it already works for most Americans.

At least one commenter proposed that the situation called for privacy protections, but the problem here seems nearly intractable, because other people have the right to disclose their personal data in whatever manner they see fit, regardless of how little or how much it may effectively disclose about me.

I don't see how I could justly assert a right that would restrict their right of disclosure.

2. A typical "match set" from the techniques used can be very large, but the project demonstrated that a few simple pieces of data (for example, geographic location within 100 miles and date of birth within 5 years) are often sufficient to prune the list of matches to a manageable size.

3. However we may feel about such a diminution of privacy, this train has already left the station. I don't see any hope of returning to the status quo ante.

Some good news, is that more violent criminals are likely to be apprehended. Another bit of good news, is that (as far as I have imagined it), in typical situations other than violent crime, there would be little occasion and/or incentive for gathering DNA for purposes of identification.

The disturbing news, is that this capacity will be misused in ways I haven't foreseen, and perhaps noone has yet invented ... but it's sure to happen.

Clive RobinsonOctober 13, 2018 4:37 AM

@ MarkH,

in typical situations other than violent crime, there would be little occasion and/or incentive for gathering DNA for purposes of identification.

Whilst that might be true for the US it is certainly not true for other nations. The UK has had several cases of DNA being taken without sufficient cause and it being kept indefinitely on Police and Govetnment databases as well as some test house and other commercial DBs.

The point is "knowledge is power", and people will not willingly give up such power once they have it.

For instance back in East Germany after it's fall the government were found to have jars containing peoples used under clothing that had been taken without their conscent. The apparent purpose was just incase they became "wanted" the government had suitable material for the use of tracker dogs... Leap forward a few years into a united Germany and suddenly it's found that the new government is up to the old Stasi trick again for what apprears to be entirely political reasons underneath,

http://news.bbc.co.uk/1/hi/world/europe/6683803.stm

I'm reasonably sure if we were able to look we would find such abuses in every nation on earth in one form or another. Because that is the very essence of "Power Politics" which various people will never give up even unto the day they die (J. Edgar Hoover being just one well known example).

CarlOctober 13, 2018 4:47 AM

From the latest book, page 212: "Much of the damage caused by cyberattacks is psychological."

Would anyone know of some research on the topic, focused on corporate victims and defenders? After some searching I was able to find:
Immune from Cyber-fire, The Psychological & Physiological Effects of Cyberwar ; by Gross, Canetti, Waismel-Manor.
There are quite a few articles on effects of cyber-bulliying, but coud not find much on psychological effects of targeted cyberattacks on corporations and government/public institutions. If you are aware of any research material, please post some titles and authors.

Thanks.

CallMeLateForSupperOctober 13, 2018 7:09 AM

No good deed goes ... appreciated. If I were the hacker, I'd un-patch the routers of the "outraged".


"A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals,

"Alexey has not been trying to hide his actions and has boasted about his hobby on a Russian blogging platform. He says he accesses routers and makes changes to their settings to prevent further abuse.

"I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions."

"But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. [,,,] Internet vigilante claims he patched over 100,000 MikroTik routers already.:

https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/

Little LambOctober 13, 2018 9:09 AM

Eat more pollock and less squid.

Interesting. If we were to stay to the facts, pollock is made into surimi, fake crab, "krab," so-called "California" style sushi rolls, etc. Cheap and plentiful, but over-processed and not available to the consumer as the whole fish. No sport or non-commercial fishing for pollock, either.

Sounds like a generic term for waste flesh of various species of fish. The word is basically a racial slur for a Polish man, not necessarily a particular fish.

Moving on to allegory, because this is simply too fishy for fact, this is a general order or threat from the political left (??) to fall into "pol"-itical line and stay away from squid-themed security forums.

Now I'm sure that many (if not most) folks on this forum consider themselves "liberal" in some sense of the word, but computer security in general is too "elitist" for a certain political hoi polloi out there, who demand easy access to others' computers under some mob-like color of authority or law. Our elitism is off-putting to "them" when "we" on this forum tend run our computers like Swiss banks, i.e., too "conservatively" when it comes to security.

(??) We have "too much money" in the computer industry, have acquired "limousine liberal" syndrome, and are being attacked from the political left by a certain crowd that is less technically inclined than we are. Remember hackers are "'leet" or "37337" etc.

Clive RobinsonOctober 13, 2018 9:09 AM

@ The usuall suspects,

You might find this paper of interest,

https://arxiv.org/pdf/1706.07257.pdf

It's an analysis of 21 recent "Control Flow Analysis" systems.

As older suspects know I've discussed this technique quite some time ago on this blog as a small part of getting "process signatures" to be monitored by a Hypervisor to detect changes in behaviour in software that might well indicate malware etc.

Little LambOctober 13, 2018 10:54 AM

@MarkH

indirect DNA identification, before this demonstration that it already works for most Americans

Electron microscopes are damned expensive, and that Watson-and-Crick stuff is too small for the jury to see. Yeah, at the lab you "know what happened" and don't need to get into all the technical details. Just print out the results and give the standard educational slide show for the jury.

gathering DNA for purposes of identification

Some "G-man" investigator as seen on TV happened to see a lipstick stain on a wine glass left on the table at a restaurant, wiped it off with his handkerchief, sneaked a peek at the restaurant receipts and found his "match."

misused in ways I haven't foreseen

The ladies were playing BINGO at Finn Hall next door, they got their "DNA match" XY on 1,000,000:1 odds, and they called blackout.

They checked their horoscope in the paper after finishing the crossword puzzle, and oh, yes, "that guy" was there at that time and place, and there are "witnesses" willing to "come forward."

Alyer Babtu October 13, 2018 11:33 AM

less popular UK species such as ... herring ...

The article is talking about the UK, right ? Is nobody having kippers for breakfast and high tea any more ?

MarkHOctober 13, 2018 11:45 AM

@Clive:

The examples you offered, of improper collection or retention of identifying material, somewhat underscore the point I was trying to make.

Probably if somebody took a personal item to obtain a sample of my DNA, they already knew who I am. That action would not serve to discover my identity, but rather to facilitate future identification of me by means of trace evidence.

The gist of the new research, is that this step probably isn't necessary anymore.

It seems to me that scenarios where a "snoop"

• has an identifiable and likely uncontaminated sample of genetic material;

• doesn't know who left it; and

• has good reason to suspect that this unknown is a person of interest ...

are rather limited, though surely they will arise.

For example, nobody needs to steal the contents of the rubbish bin by my house to find out my identity. There are much easier, cheaper and more deterministic ways to find out whose house it is!

A very thorough analysis of this rubbish, however, might identify most persons who spent more than a short amount of time in my house during the week in which the rubbish accumulated. I suspect that such a process would be very costly, though as techniques and automation improve, it will only get cheaper.

Such analysis might also identify my postal carrier, people who handled food packaging at the markets, and perhaps some other cast of characters as well ...

This recently evolved ability to identify people will undoubtedly be used in frightening and dangerous ways. There will be some point at which motivation, feasibility and cost-effectiveness suddenly converge, and exploits will happen. I lack the foresight to predict where this may be.
____________________________

NOTE: By my understanding of US law, law enforcement officers need a search warrant to take items from my home or rubbish bin as a way of gathering DNA samples or any other kind of evidence. However, they can collect such items from a public space without a warrant. It has become fairly common to follow a suspect in order to gather a paper drinks cup or cigarette butt discarded in a public space, in order to get DNA to compare with crime scene samples.
____________________________

@Little Lamb:

As far as I understand the matter, the processes of DNA identification are essentially chemical, and don't involve any use of an electron microscope.

Gunter KönigsmannOctober 13, 2018 12:34 PM

About the device implants: since every pci device can come with windows drivers (my graphics card emulated an usb bus connected to an usb memory key filled with signed drivers that could be installed automatically for this purpose) and/or uefi extensions I guess that

1) if the apple and Amazon servers didn't contain an implant this time such implants will be found somewhere at some point in the future and
2) Spionage devices might really as small as the devices Bloomberg has shown: they need less memory than a 200 Gigabyte transflash card and for interfacing an pcie or usb bus it does need only about 4 Pins...

...all one has to get is a key for signing the software inside the device.

Little LambOctober 13, 2018 12:37 PM

http://www.govtech.com/security/Recovery-Has-Not-Come-Cheap-for-the-Alaskan-Borough-Targeted-by-Hackers.html

Mat-Su Borough got hacked to the tune of $2,000,000 after some male teacher was accused of improperly patting the wrong child on the back or something like that.


https://www.adn.com/alaska-news/mat-su/2018/09/27/wasilla-elementary-school-teacher-charged-with-sexual-assault-of-student/

Anyways, it sounds like the database technicians discovered that the sex offenders DNA registry database was corrupt when they attempted to restore it from backup, and they were scrambling to get off the property before they got arrested for possession of child pr0nography, you know, being on school grounds and all, so they had to hire an outside security consultant, and a bunch of lawyers, accountants, and auditors got involved, but they can't find really find a babysitter for their kids while they're working on it.

Gunter KönigsmannOctober 13, 2018 12:45 PM

Actually my small aspire one netbook came with a few pads for internal connectors additional hardware could be soldered to: an data hard disk, additional pci hardware and a few pins of one connector could be used as a. Additional usb bus.

I guess they included all that for future extensions or for versions with internal GPRS Chipsets, a real hard disk drive instead of an SSD or just for qualification tests. But - that means that places one could add spying devices to exist even in relatively simpke designs. Note that most standard integrated peripherals that aren't part of the main chipset are pci or usb ones.

JG4October 13, 2018 1:50 PM


The first excerpt is not far off what I perceive as The Real Clive's views. I don't recall him saying that anyone working for the man has to make a choice. John Boyd explicitly said that everyone has to make a choice between being someone (acceptable to the system) and doing something (intrinsically unacceptable to the system, otherwise the system would do it). Tragic that Big Tech and Big Data aren't mentioned here, because that precisely is where some of the largest thefts are happening and being rewarded richly.

https://www.nakedcapitalism.com/2018/10/clive-naked-capitalism-ammunition-war-information-2.html
...
For those of us on the inside, we don’t deserve any sympathy. But I’d like to offer a glimmer of insight into the conflict that those of us with any sort of conscience wrestle with because it is a conflict which is going to shape our societies over the next generation.
Increasingly, if you want to get and hang on to a middle class job, that job will involve dishonesty or exploitation of others in some way. Industries such as finance have seized and held onto larger and larger proportions of the economy.
The same disproportionate growth can be seen in financialised healthcare and finacialised education. Naked Capitalism has broken story after story of how these businesses have demonstrated a near-endless capacity for scandal, fraud and wrongdoings of every conceivable sort.
...

I want to raise again the question of quasi-anonymously sharing information, say via photobucket, imgur, pastebin or similar vehicle. I'd like to have a more robust discussion of releasing designs into the wild, of which I have many. I am acutely sensitive to the fact that "helpful to human rights activists" means "useful to organized crime." It may be helpful to consider whose crimes are the most organized on your planet.

The usual daily news compendium.

https://www.nakedcapitalism.com/2018/10/links-10-13-18.html
...

Big Brother is Watching You Watch

Facebook cyber attack sees data stolen from 29 million accounts in its largest ever data theft abc.net.au (Kevin W)

Cyber tests showed ‘nearly all’ new Pentagon weapons vulnerable to attack, GAO says NPR (Chuck L)
...

The US State Department withdrew Hillary Clinton’s security clearance and those of several former Clinton aides Business Insider (Kevin W)
...

Black Injustice Tipping Point

Retired firefighter found guilty for shooting at lost black teen on doorstep NBC
...

Clive RobinsonOctober 13, 2018 3:18 PM

Is SEC waking up to Cyber Security


https://www.nytimes.com/2018/10/08/business/dealbook/voya-sec-cyber.html

SEC has “Identity Theft Red Flags Rule” legislation for PII and similar protection, but has left it languishing in some dark corner for five years.

However Voya Financial Advisors, the investment advisory unit of Voya Financial were so "willful" in their negligence that finally SEC blew of the dust and draged the legislation out into the light of day to censure Voya with a "cease and desist order".

However it is estimated that the majority of financial enterties that fall under SECs purview are actually failing to meet the requirments in one way or another as they have not appeared in guidence information...

I guess we will now see a whole new cottage industry spring up around this.

Clive RobinsonOctober 13, 2018 4:17 PM

@ BSPMBS and others,

With regards Turkey and the disappearance of a Saudi Journalist in the Saudi consulate a question got possed,

    Against the House of Saud or the Empire of Trump?

Well the House of Saud has it's fingers in many pies. Not least of which is the US "Silicon Valley" companies, which the previous US administration held in high esteem

https://www.nytimes.com/2018/10/12/opinion/silicon-valley-saudi-arabia.html

Whilst the previous US administration held the companies in high esteem, more recent events suggest that that was in some cases misplaced.

It would appear that some of the money behind these companies was funneled into unhealthy relationships with very right wing politics, then into Russia, and then back out into attempts to rig various elections around the world via Social media and some more unplesant activities upto and including "wet work"...

On a similar note it would appear that the authoritarian leader of China might well be starting a significant backlash against the rich and non party powerfull,

https://www.newyorker.com/news/daily-comment/why-did-chinas-biggest-movie-star-and-the-interpol-chief-vanish

echoOctober 13, 2018 4:28 PM

I caught a lot of science news this week. I have linked to a handful of these artciles. The first involves data transfer via gravity which may be of communications security interest.

The other articles I linked to are mostly general science relating to big questions about dark matter and the theoretical issues surrounding turbulence which is a really interesting examination of simplicity and complexity and state changes. I offer these as more food for the mind than any specific observsation.

The forth article covers objectivity and bias in science. While the article mostly focuses on women's struggles with sexism in conjuction with Desmond Morris's (?) theories of hierarchial rigidity I propose that the article be read bearing in mind both contexts.

The fifth article notes a breakthrough in photonic computing which may have implications for data processing bring faster processing sooner, enabling the processing of more and more complex survellience data.

Sorry. I couldn't keep adding articles. This will do!

https://phys.org/news/2018-10-mathematicians-possibility-gravitational.html
Mathematicians confirm the possibility of data transfer via gravitational waves

RUDN mathematicians analyzed the properties of gravitational waves in a generalized affine-metrical space (an algebraic construction operating on the notions of a vector and a point) similarly to the properties of electromagnetic waves in Minkowski space-time. They report the possibility of transmitting information with the help of nonmetricity waves and transferring it spatially without distortions. The discovery could lead to a new means of data transfer in space, e.g., between space stations. Their results are published in Classical and Quantum Gravity.

https://curiosity.com/topics/some-physicists-think-time-may-be-slowing-down-and-will-eventually-stop-curiosity/
Some Physicists Think Time May Be Slowing Down — and Will Eventually Stop

The universe is expanding at an ever-accelerating rate. At least, that's what the vast majority of scientists would have you believe. But according to a team of Spanish physicists, it may not be the expansion of the universe that's changing rate, but time itself. Time might be slowing down, and that means that it could eventually stop altogether.

https://www.quantamagazine.org/famous-experiment-dooms-pilot-wave-alternative-to-quantum-weirdness-20181011/
Famous Experiment Dooms Alternative to Quantum Weirdness

Oil droplets guided by “pilot waves” have failed to reproduce the results of the quantum double-slit experiment, crushing a century-old dream that there exists a single, concrete reality.

https://arstechnica.com/science/2018/10/turbulence-the-oldest-unsolved-problem-in-physics/
Turbulence, the oldest unsolved problem in physics
The flow of water through a pipe is still in many ways an unsolved problem.

Some nearly 90 years later, the effort to understand and predict turbulence remains of immense practical importance. Turbulence factors into the design of much of our technology, from airplanes to pipelines, and it factors into predicting important natural phenomena such as the weather. But because our understanding of turbulence over time has stayed largely ad-hoc and limited, the development of technology that interacts significantly with fluid flows has long been forced to be conservative and incremental. If only we became masters of this ubiquitous phenomenon of nature, these technologies might be free to evolve in more imaginative directions.

https://www.wired.com/story/why-men-dont-believe-the-data-on-gender-bias-in-science/
Why Men Don’t Believe the Data on Gender Bias in Science

Why do men in science devalue such research and the data it produces? If anyone should be willing to accept what the peer-reviewed research consistently shows and use it to correct the underlying assumptions, it should be scientists.

But it is in large part because they are scientists that they do not want to believe these studies. Scientists are supposed to be objective, able to evaluate data and results without being swayed by emotions or biases. This is a fundamental tenet of science. What this extensive literature shows is, in fact, scientists are people, subject to the same cultural norms and beliefs as the rest of society. The systemic sexism and racism on display every day in this country also exist within the confines of science. Scientists are not as objective as they think they are. It is an extremely destabilizing realization for someone whose entire career has been rooted in the belief in human objectivity.

https://phys.org/news/2018-10-half-light-half-matter-particles-key-revolution.html

Scientists have discovered new particles that could lie at the heart of a future technological revolution based on photonic circuitry, leading to superfast, light-based computing.

WaelOctober 13, 2018 4:37 PM

@Clive Robinson,

It's an analysis of 21 recent "Control Flow Analysis" systems.

Good paper. Was only able to finish 4 or 5 pages -- got bored after a while, but I think I'll visit it again. Yes, some C-v-P concepts there.

CFI has received a lot of attention by the research community, but has not yet been widely adopted by industry.

Becuase the industry is full of self-certified experts, I tell ya! *snort* :) It's actually more dismal than that.

Memory errors are produced by memory unsafe languages, such as C and C++, which trade type safety and memory safety for performance.

Exclusively by unsafe languages?

By overwriting the return address, the attacker can change the control flow to any location during a function return.

Any function within the same address space, unless a HW bug in the MMU is also exploited.

stack canaries [7, 17] involve placing a canary value between the return address and the local function variables.

Canaries, again! Yaaawwwn.

This protection mechanism was circumvented by the invention of code reuse attacks (CRAs) [...] An example of this is the return-to-libc attack [...] Return oriented programming (ROP) [...] Jump oriented programming

Yea, we've seen these a lot lately.

Therefore, a larger search space means more effective security.

Security through Expansion of the Search Space. Where have I seen this principle? Hmmm.

Clive RobinsonOctober 13, 2018 4:42 PM

Trump Signed Drone Killer legislation

Bubbling away in the background has been legislation that alows the Fedral and othet authorities to attack drones or shoot them down without legal oversight, or for that matter to give rrasons for their actions.

Whilst some may think this is a good idea due to the usual overkill "Health and Safety" FUD, it has significant "freedom" implications.

As has been pointed out but not miuch reported by MSM etc journalists use drones these days to gather information for stories including those of Goverment reprehensible if not illegal behaviours.

This legislation now alows those offenders to take control / crash / shoot down such drones. As we know the FBI amongst other federal agencies has been less than honest about their activities and have received sanction only aftet independent evidence has shown their reporting of events to be false. Thus removing yet another method of independent evidence gathering can be seen as actually a threat to both the citizens and functioning of civil society in the US.

https://techcrunch.com/2018/10/04/despite-objection-congress-passes-bill-that-lets-homeland-security-shoot-down-private-drones/

Bong-Smoking Primitive Monkey-Brained SpookOctober 13, 2018 4:43 PM

@Clive Robinson:

Well the House of Saud has it's fingers in many pies. Not least of which is the US "Silicon Valley" companies, which the previous US administration held in high esteem

Everybody has their fingers in everybody else's pies. The world will significantly change in about four years.

echoOctober 13, 2018 4:44 PM

@JG4

I want to raise again the question of quasi-anonymously sharing information, say via photobucket, imgur, pastebin or similar vehicle. I'd like to have a more robust discussion of releasing designs into the wild, of which I have many. I am acutely sensitive to the fact that "helpful to human rights activists" means "useful to organized crime." It may be helpful to consider whose crimes are the most organized on your planet.

Is this meme even true? It is known a robust civic society helps uphold good governance. It is also true that good governance and good community tend to remove the causes of crime and reject crime. It might be useful to see if there is a sociology or other relevant speciality study examining this. There must be something out there.

@Clive

I have noticed this too.

Clive RobinsonOctober 13, 2018 4:55 PM

@ Wael,

Security through Expansion of the Search Space. Where have I seen this principle? Hmmm.

Just let me think a moment,

In real life it would be called "authoritarian overreach" as we see with "collect it all"...

However yes, similar "over reach" is happening in hardware via the likes of Intel's ME. Oh and of course every modern OS you find on consumer items has either "telemetry" or "ET phone home" to the Mothership in some authoritarian place.

Then there is the cloud and the likes of Palantir...

But I'm guessing that's not quite what you mean ;-)

WaelOctober 13, 2018 5:12 PM

@Clive Robinson,

But I'm guessing that's not quite what you mean ;-)

It's not what was on my mind but applicable. It's the beauty of Security Principles that apply to all phases of product development: Inception, Architecture and Design, Implementation, and Operation. We discussed some of these aspects for quite some time. There is one thing I'd like to pick your brain on:

What's the difference between Architecture and Design in a software development setting, with emphasis on "Security Aspects"? I have some opinions but don't want to tell you what they are so I do't taint your thinking. Give me something other than what's published on the Web ;)

MarkHOctober 13, 2018 5:17 PM

@Clive:

Thanks for the Bear SSL link, it's a nice write-up. I wrote some bigint code back in the day, and learned many of the speed optimization techniques along the way -- though the extremal-bits optimization to binary gcd was new to me.

It's also interesting to me, reading about measures taken to ensure constant execution time, which wasn't a concern for my application.

@echo:

I haven't attempted to keep up with research in fluid dynamics, but it's no big surprise that turbulence remains elusive.

In one of my previous lives, an application required the design of systems to release a fluid which is stored at high pressure as a liquid, and which boils into gas as it flows through the discharge system ... imagine how chaotic that must be!

There was no hope of theoretical modeling, only rules of thumb and tables of empirical data.

WaelOctober 13, 2018 5:21 PM

@Clive Robinson,

But I'm guessing that's not quite what you mean ;-)

Told you what I didn't mean but forgot to tell you what I meant. Reduction of the attack surface by Expansion of the search space. There! I said a mouthful :)

echoOctober 13, 2018 5:27 PM

https://www.independent.co.uk/voices/matthew-hedges-jailed-uk-government-uae-relationship-arms-sales-a8582346.html

In May, Matthew Hedges, 31, was seized at Dubai airport as he attempted to leave the country following a two-week research trip for his PhD. The Durham University student had travelled there to conduct fieldwork for his doctoral thesis on the impact of Emirati security and foreign policies following the 2011 Arab Spring – a subject that no doubt touched a nerve with the authorities.

[...]

But we should ask ourselves a serious question: Is this really the direction of travel in post-Brexit Britain, one in which our government cosies up to repressive regimes, whilst academics and human rights defenders languish in their prisons? Matthew Hedges must be released. But beyond this, the government needs to question the company it keeps and at the very least, acknowledge the destructive impact of basic human rights abuses in the UAE.

I have been personally warned by a UK establishment person that to know what you want, mention the law, and bring up the subject of your rights will gaurantee the door being slammed. It is hell on earth feeling trapped in a virtual prison let alone a real prison half way around the world.

https://www.theguardian.com/uk-news/2018/oct/13/police-pressured-paramedics-to-give-inaccurate-statements-after-student-paralysed

Police watchdog 'pressed paramedics to give inaccurate statements' after student paralysed. Paramedics make claim at disciplinary hearing against four officers over incident left 20-year-old Julian Cole paralysed.

I have personal experience of rigged investigations being conduct behind my back only to read there was any investigation and an outcome in the newspapers. This is more evidence and much more graphic that deliberate corruption of investigations occurs.

echoOctober 13, 2018 5:46 PM

@MarkH

In one of my previous lives, an application required the design of systems to release a fluid which is stored at high pressure as a liquid, and which boils into gas as it flows through the discharge system ... imagine how chaotic that must be!

I didn't know anything beyond the simple stuff until I read a very long article explaining how SpaceX modelled stuff in their engines.I recall mention of the doing some good optimisations and discovering a few good computational shortcuts or something which meant they could do more accurate and faster work. The article I quoted was new again to me. I'm glad I don't have to do this stuff! I can't begin to imagine how hairy your work must have been!

@Clive

As you might know Ross is more normally associated with "Security Engineering", and for a while "Security Economics",

So yes there are crossovers for the curious mind.

I would have and did completely miss this. The thought of crossovers was very much at the front of my mind which is partly why I didn't comment much. I felt people were knowledgeable and smart enough to make their own crossovers. You never know when a thinking widget fills a blank in and inspires something somewhere else.

ThothOctober 13, 2018 6:25 PM

@Clive Robinson, those that helped on bitwise math

Thanks for all the help. Was working to implement Keccak-256 hash function on a smart card and it is finally done. Since Keccak hash is not supported on all smart cards on their crypto processing units and there are no such precedents on actually usable Keccak hash source codes for smart cards, I had to do the 64-bit rotl, add, flip and xor operations by implementing those with the help here.

Works wonderfully and now able to generate a 256 bit Keccak hash in 10 seconds with a 136 bytes input block.

Looking to push the Keccak hash library for JavaCard to Github soon once I cleaned it up for public release.

Clive RobinsonOctober 13, 2018 7:15 PM

@ Wael,

What's the difference between Architecture and Design in a software development setting, with emphasis on "Security Aspects"?

It's a good question, which has filled many a book to answer, all with different Points of View. Which is going to make answering it in a short comment interesting ;-)

In the main the problem is because of the dual nature of the beast which has both style and substance, and moves from one to the other through many levels of the computing stack. With the addition of security a much larger range of the stack has to be considered, going well down into the physical layers and up beyond the user and even managment levels.

Part of the problem is the journey from 20,000ft view, through the 1000ft "green rush" down to the solidity of getting your feet on the ground in one piece.

At a sufficient distance it's easy to see a difference between architecture and design, but as you get closer all of a sudden architecture starts becoming design but there is no clear dividing line just a "zone of change/morphing".

Architecture is about the whole "functional system" and it's place within other systems. Each system is built with more general use components that have been designed for a limited scope utilitarian function. Thus the process is from the abstract high levels of functional architecture down through the many levels to the concreate nuts and bolts components that have usually been designed without refrence to any architecture just specific well designed utilitarian function.

As I've mentioned on the odd occasion "Components have insufficient complexity to be secure". That is security comes by bringing a certain minimum of utilitarian componets together in the correct functional architecture to get sufficient complexity to be secure.

Look at it this way a crypto algorithm offers no security what so ever, it has to be built into functioning code before it can do anything. After a design process you end up with a subroutine in your chosen language that takes two input sources and provides a single output. Thus the subroutine is a utilitarian component that can be reused over and over in many different systems in many different ways.

But it's not secure in it's own right, to see why consider the case of encryption. To encrypt the subroutine takes the plaintext and the keytext and outputs the ciphertext as designed. But as the subroutine runs in a process the three texts will share the same memory space thus it can not be regarded as secure. To start to get some measure of security you then have to design the process to seperate the three texts in some way where access to one text does not alow access to the other texts. Further you have to have the process run in an environment that segregates it from other processes and so on up the computing stack.

Which is a bottom up approach, which generally is a bad way to do things beyond the design of the basic utilitarian components.

But worse with security involved you will also have to consider the layers below the programing language in the computing stack such as how the memory is organised, lengths of times instructions take to execute, how memory segregation is organised, enforced and audited etc.

Which is why a better way is to do a high level requirments analysis, from which you derive a functional analysis, on which you then do a security analysis. You churn this around untill you end up with your 20,000ft view of what your architecture will be.

You then go through a process of designing a function dependent system framework in which you hang successively smaller frameworks in which you put the utilitarian component parts. Which should if you follow the rules all the way down give you an approximation of a secure system.

WaelOctober 13, 2018 7:37 PM

@Clive Robinson,

That's helpful. Suppose we use the analogy of a skyscraper or an entire city to be built. Assuming Architecture and Design are separate tasks, regardless of whether they're done by the same person. What would fall under Design and what would fall under Architecture, keeping security in mind?

echoOctober 13, 2018 7:40 PM

@Clive

Following on from your comments in the social-economic domain the lack of considering people's social and economic security suggests Brexit as implemented isn't an accident but design intent.

I have no idea what Prof Anderson may say or whether his experience in "security engineering" and "security economics" can add value to a discussion.

https://www.theguardian.com/commentisfree/2018/oct/13/brexit-fanatics-no-compromise-go-for-broke-chaos-counter-revolution

They have hardly made a secret of their ambitions to reverse protections for workers. “The weight of employment regulation is now backbreaking: the collective redundancies directive, the atypical workers directive, the working time directive and a thousand more,” said Johnson in 2014. Liam Fox told the Financial Times in 2012 it was “unsustainable to believe that workplace rights should remain untouchable”. Jacob Rees-Mogg said he could not “support all the employment rights that come from Europe”. David Davis, John Redwood and the older Brexit crew were against the social chapter from the moment of its inception. Meanwhile, Andrea Leadsom outbid them all when she dreamed of a future when there was “absolutely no regulation whatsoever – no minimum wage, no maternity or paternity rights, no unfair dismissal rights, no pension rights – for the smallest companies that are trying to get off the ground”.

Colin MansellOctober 13, 2018 8:00 PM

Great blog. Love your comments policy.

This is about snooping on us, and is therefore security related, but I wouldn't mind betting it is also about commerce/behavior/garnering clicks.

I watched a video on Youtube from a hacker conference, quite possibly Defcon, before 2018, from someone who was concerned about the amount of data 'they' were collecting on mouse clicks and so on, from the packets and amount of data coming in and going out. Can anyone point me back in his direction? He was an oldish guy 50+, beard if I remember rightly.

On, I believe, a related point, what is going on with Firefox? Are all browser experiences the same now? When I go back to a tab/page after a minute or two, the data is no longer there and the internet has to go back to the cloud/server to start all over and bring the data from new from a blank screen.

Education of my ignorance appreciated.

Clive RobinsonOctober 13, 2018 8:23 PM

@ echo,

The encumbrant idiots mentioned are very selective in their remembering of history. Which is what you would expect for those who feel entitled by status.

Whilst they might think they are secure in their places, history shows us that when pushed collective action by the rest of society can have only one of two conclusions. The self appointed elites back down or they are made ineffective in some way, often by violence of some form.

Civil unrest is undesirable but usually that is what ends up happening. First the self appointed call upon their guard labour that basically resorts to the worst of human depravity, at which point the tide turns and the guard labour flees the self appointed. It's then often a question of how well the self appointed have planned, some will get away unscathed whilst others will be removed from society by society...

I'm guessing that the idiots are assuming that either their backers or technology will keep them in positions of power or atleast protected from the vengful. History shows that such assumptions have a habit of being wrong.

The real problem is the backers, who have planned, thus have made safe havens for themselves where anonymity is virtually assured. Where they wait for things to blow over before returning to start the cycle again...

I gather there is a fair amount of Mansion Building going on in New Zealand with underground bunkers with 60 months or more supplies... Which sounds to me like some of the backers are already preparing for "The blood of patriots and tyrants..." to flow.

Little LambOctober 13, 2018 8:25 PM

the amount of data 'they' were collecting on mouse clicks ... He was an oldish guy 50+, beard if I remember rightly.

A mad scientist was performing cruel and unusual experiments on captive mice. The psychiatrist next door was muttering something about bestiality or murine-human intercourse, but they didn't want to add it to the DSM-V because they thought it might give people ideas.

WaelOctober 13, 2018 11:47 PM

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BNhf0wjCMckfCF4leiH
8EnmtNQZ1ZhEXZicDjXhBmLQDaSLEtQhJTMbFkDd4CLfYLgO3mkp4dQVK/pG9FWn
75XO7bpApzcWKmQjJn+EwemIYC5Nc76WkrCQ4FVm5w0ys/sPtJqxGt75yM78ysCM
K2R3Xf5UzHefaNlbUbndvtXFTwy3chRsx/TSyZCXuCRFhybFIQcdE4Es+yRthm8w
U4znkmhiEFjwuW9wMyPhEyHelE6qYWiiR2VCC3xxiLaOH3mXINhjpKXXmbTnfrdB
3L0P4s/YV7BgP7kDKXIRaxTsAL+gqMrwtXYDm18vuHCA2ySNQPItjJaN0pf/6KBC
qyuL1NDlB13tBr9kZhx9OjYo22HG2nffBci9EnfE4i3zsnu+HJoTq7YSpnh4mhpo
pzNpCujV57PgbFMvJpquhghMH1Nr8mGAmgXSYPEO7dCoM0TG2HDqJhj2kZIwbZ9w
x3UsPSo38RVBUkm15e2qgoCEEEHwkl3yVUQ/YlU3I36Crbu53oSi7/nMuPIefBYW
UpaqaBSy4PAZUy6sqopErIjO5hp/rZDojvF1m82aR02wJkjyK5LHCV7RmfpiG4Ag
akOYQV6J+aT2aQ7HV4VAARz8PzEuNo7jDK84Y3YqD7GUv9Ir/KkVHB79APuq0PVH
wt97MGIKxSwTL7CV1BvGKTsCAwEAAQ==
-----END PUBLIC KEY-----

WaelOctober 13, 2018 11:52 PM

The above is just a test public signature for a POC. Once done, I'll delete the private key. Please do not use this to send me encrypted information -- I'll ignore it. Besides, this will be used only for signature verification, you know: a 'Separation of duties' thing...

Erik ROctober 14, 2018 1:00 AM

Before the EU content filter requirements goes live; Bruce and the new book are mentioned on Swedish public radio. Link to the program, all in Swedish though:

https://sverigesradio.se/sida/avsnitt/1161066?programid=516

The program is not tech related but rather a relaxed and humorous talk show with thoughts about the future. The book virtually opens and drive the idea of increased analogue ways of doing things that wont kill you if clicked.


MarkHOctober 14, 2018 1:53 AM

@echo:

I wasn't involved in the boiling flow analysis; some colleagues who worked at the "hairy end" were kind enough to explain to me some of the challenges.

My little exposure to turbulence from an engineering perspective comes from looking through some elementary texts in aerodynamics. They give a pretty good idea of where you can expect to see turbulence, but don't attempt to quantify it.

On an airplane wing, smooth (parallel) airflow stays close to the wing surface for a surprisingly short length after the leading edge (nose). Behind this threshold, the smooth flow angles away from the wing surface, and the "wedge" in between is considered to be full of turbulence ... but nothing analytic, more like "here there be dragons."

TimothyOctober 14, 2018 5:53 AM

A former Apple product engineer writes about circuit boards and whether a Supermicro server board implant was possible. The short answer is yes. She discusses the risks of under-resourced teams, "customer-facing drawings" vs "factory drawings," counterfeit parts, and building digital transparency and traceability in the supply chain. She says that although the technology exists to assess a product's integrity, particularly for high sensitivity electronics, it is not yet considered a standard across the industry.

https://www.forbes.com/sites/annashedletsky/2018/10/04/hardware-hacks-are-easier-than-they-seem-what-does-it-mean-for-the-future/

Clive RobinsonOctober 14, 2018 6:18 AM

@ Timothy, ALL

You might also like,

https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

As I've said I have my suspicions about Bloomberg, thus I have my doubts.

However it is entirely possible to do (the NSA&GCHQ do it).

The real problem is "hard proof", people are claiming "no photo no story" without realy thinking things through.

They are under the impression an attacker needs to attack all the motherboards on a server farm etc.

The reality is they don't, the motherboards used in server farms have the BMC with it's own network. This network usually connects many motherboards together for ease of administration. In the slightly more secure setups this BMC network is "air gapped" from other networks so geting in from outside or getting data from outside should "in theory" be impossible.

Which is fine as far as normal attacks go. However a single hardware implant motherboard on this BMC network is in effect an "insider attack" and thus just one implant can infect all the other motherboards in the server farm...

As actually finding an implant would require "destructive testing" that is inordinately expensive, economically you would not do it, but either junk the boards or use them in non critical areas.

It's a point most are currently ignoring in their mental model.

TatütataOctober 14, 2018 8:25 AM

Re: alleged public key

I first read "POC" as synonymous with "POS", but as my cerebral porridge eventually coalesced, I realized it must have meant "Proof Of Concept".

Out of curiosity, I tried importing that text into Kleopatra. Result: a very user friendly "BER error", which I then Γκοογλε'd to try to understand what it was supposed to mean in plain Volapük, but landed only on cryptic bug reports and "computer service" scamware bait. Then tried the same with command-line gpg, with no better results. After cussing a little bit, I then realized it's a beautiful Sunday out there, and that there are much better things to do, in which I will now engage.

Was this an experiment of sorts, with the readers starring as the mice in the maze?

Or an attempt to demonstrate the difficulty of using classical crypto tools, if this was ever necessary?

Ergo SumOctober 14, 2018 8:58 AM

@ Clive...

As I've said I have my suspicions about Bloomberg, thus I have my doubts.

However it is entirely possible to do (the NSA&GCHQ do it).

That's somewhat contradicting statements and begs the question. Why other state actor(s) wouldn't be able to do the same? Especially, when that other state actor has the factory within in its control that manufactures the product in question?

Which is fine as far as normal attacks go. However a single hardware implant motherboard on this BMC network is in effect an "insider attack" and thus just one implant can infect all the other motherboards in the server farm...

I don't disagree, but...

Wouldn't the "insider attack" generate lot of noise on the preferably isolated BMC network? Presumably, it depends on the size of the BMC network and monitoring for unusual network traffic, but still.

Clive RobinsonOctober 14, 2018 9:22 AM

@ Tatütata,

Out of curiosity, I tried...

I suspect --but am to lazy to try-- that it is a scheme of crypto+stego thought up by @Wael and @Ratio.

Where they use "non printing" characters in which ever UTF coding they are using to represent "bits" or other data size. Hence the reason it will show up in "vi" but not most text editors.

If I remember correctly the original idea was a way for a poster to sign their post without having a very anoying visual inclusion at the end, messing it up for readers.

You can see --or not ;-)-- a little more over at,

https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6768403

Though it looks like @Wael blaims me =8( for the start of it a month or two before that...

CallMeLateForSupperOctober 14, 2018 9:49 AM

"[...] what is going on with Firefox? [...] When I go back to a tab/page after a minute or two, the data is no longer there [...]"

I have experienced some weird Firefox behavior over the years, but not what you describe. Lovely. Congratulations. :) By the way, what OS do you use?

I run Ubuntu Linux. One of the most persistent (going on three years now) weirdness-es here is a (sound) Volume slider appearing at upper right of window - only when FF is active - and vanishing after 3-5 seconds. Typically I am just reading when this happens.

Adding to the weirdness, the pop-up Volume slider looks nothing like Ubuntu's Volume slider, and I have no idea what it "belongs to".

WaelOctober 14, 2018 9:57 AM

@Tatütata, @Clive Robison,

Re: alleged public key

Legitimate 4k Pub Key. Was working on the script last night but got distracted with other tasks and I also encountered some minor challenges, but learned a few things that'll share once I sign a message and post the verification script. No need to import the Pub Key into Kleopatra -- it might bite you in the chest ;)

[...] blaims me =8( for the start of it a month or two before that...

I blame no one; I only keep score. The price you pay is a question that I'll ask you soon.

TimothyOctober 14, 2018 11:38 AM

@ Clive

Thank you for sharing the article. I have read it, and will probably have to read it a couple more times to understand the many potential vectors of vulnerability. To the final thought from Dr. Markettos’ article:

“But it is likely news to many people that their systems are a lot more complex than they thought, and in that complexity can lurk surprising vulnerabilities.”

... What are your thoughts on the printed circuit board vulnerabilities as presented by the DoD-led Interagency report?

Here is a small bit of background: The report - fulfilling EO 13806 - discusses 16 sectors that are relevant to the defense industrial base and its supply chain; this review is listed in Appendix Two. The 16 sectors are grouped under two categories: Traditional Defense Sectors and Cross-Cutting Sectors. Both ‘Cybersecurity for Manufacturing’ and ‘Electronics’ are listed under the cross-cutting sector. Each sector has a dedicated working group that provides a risk analysis on the sector’s ability to support national security.

The Electronics Sector lists the specific topic of ‘Printed Circuit Board Manufacturing.’

What I found surprising was that, reportedly, the US only accounts for 5% of the global manufacturing of printed circuit boards. While 90% come from Asia, with over half of that coming from China.

The report advises that the DoD risks losing visibility of the ‘manufacturing provenance of its products’ and that many offshore facilities do not meet or comply with DoD quality requirements.

Further “The DoD Executive Agent for Printed Circuit Board Technology has provided technical assistance activities with domestic manufacturers and observed awareness gaps among manufacturers related to International Traffic in Arms and other Export Control regulations.”

A different section of the report discusses the effects of unlawful or unfair foreign trade practices that are contributing to the shuttering of U.S. factories.

I am, as with Dr Markettos’ article, still trying to unpack the details and implications. Again, thank you for your response, and your thoughts, and for sharing an enlightening and expert article with us all.

Clive RobinsonOctober 14, 2018 12:24 PM

@ Ergo Sum,

That's somewhat contradicting statements and begs the question.

I look on Bloomberg with a degree of suspicion, their main line of business is not as journalists and they have been known to behave more than somewhat unprofessionaly. In essence using the Bloomberg terminal to spy on traders and use it not just for news but "market shifting" news.

Further one of their supposed anonymous sources for the first article has come forward and said they have been not just incorectly quoted but in effect used to fabricate the story. With their second article the named technical source has again come forward making similar complaint.

Some of the times that Bloomberg say events have happened can be shown to have been events of an entirely different nature, that have been previously reported by others. Thus it looks like a lack of research or an overly massive conspiracy theory. Either way Bloomberg has not come up with any testable evidence and much of what they have said has been shown to be incorrect.

Other people that have knowledge of how to do implants have come forward expressing at a minimum supprise and some doubts about the Bloomberg story. So the upshot is "Yes we know how to do implants and can tell you how to do them, but we are suspicious of Bloomberg's stories".

Which is why some have been saying that Bloomberg appear to have an agender that is not news as news, but more as market manipulation. In fact enough noise that I suspect SEC or other federal authorities are likely to be looking into it and trades placed leading upto the publication that caused half the value of a large corporate to be erased and a large fraction of the largest US tech company to be devalued.

With regards,

Wouldn't the "insider attack" generate lot of noise on the preferably isolated BMC network?

It depends what it is doing. There is a fair amount of noise due to discovery and other legitimate BMC activities so the BMC network is not quiet. As I indicated I would already have put certain types of bug in the BMC source[1] which is apparently on these boards a variation of Linux[2] thus easier than many might think.

Which means that the traffic across the BNC network might just be a packet to "flip a status value" or equivalent.

People tend to forget that network stacks are promiscuous by design at the lower levels and making them much more promiscuous is a matter of changing status values. Back in the days of hubs that would have ment a single network packet would have been received on every machine on the network.

But there is another issue that few think of which is time based side channels. You can modulate legitimate traffic to carry illegitimate traffic in a form of "Pulse Position Modulation". Which has been used in the past due to the transparancy of "efficient" hardware to get "keyboard logging" information out onto the local network and beyond.

It would be a matter of simplicity to combine such pulse position modulated data with expected "discovery" traffic etc.

Basically you are in effect just picking already known covert techniques and putting them together in ways few others would realise.

But my main point is although we can do this, and bits already have been so code exists etc, we don't yet have evidence it's been done by China, even though it has by the US and UK.

And in the case of Yossi Applebaum his concern which I share is that we "don't throw the baby out with the bath water" by appearing to be "crying wolf". That is supply chain attacks are real they have happened and atleast one with ePOS card readers originated in China. Thus what we don't want is people making events up that then get shown to be false in some way that then makes the majority of people think everything about the story is "fake news"[3].

The fact some people are already talking that way, makes others think it's a "disinformation campaign" which only goes to show what happens in an information vacuum...

[1] Again this type of "insider attack" especially in what is in effect "open source with mods" has been long suspected of the likes of the NSA and GCHQ and indirectly confirmed in more recent times. It's inpart "finessing" inpart suborning or placing development staff.

[2] The reality is that with Linux running in BMC's and Minux running in Intel's ME Microsoft OS's are actually the minority OS...

[3] As has been observed "The price of freedom is eternal vigilance" and we don't want people "sleeping on the job" and waking in a nightmare.

Clive RobinsonOctober 14, 2018 12:36 PM

@ Wael,

things that'll share

I'm guessing your harsh mistress is having her way with you again?

As you are having the wrong contractions :-S

Oh and the bad "bite in the asp" joke yes I caught it, though I'm not sure who else did ;-)

WaelOctober 14, 2018 2:42 PM

@Clive Robinson,

That Message signing thing turned out to be a real ...
Stay tuned. I'll be back.

Clive RobinsonOctober 14, 2018 3:03 PM

@ Timothy,

What are your thoughts on the printed circuit board vulnerabilities as presented by the DoD-led Interagency report?

My first thought is "they are over egging the pudding of doom" and "for the wrong reasons".

To see why they claim the US had a 10billion market in 2000 but only a 3billion market in 2015, but forgot to mention that the world wide market in dollars shrank quite a bit even though the number of PCBs made world wide went up.

Thus the most likely cause is "economic disincentive" due to other factors such as two world banking crisis and a massive layoff of blue collar workers in the US.

This would have been exacerbated by the "make old do" problem that you see over and over in industry since the 1960's. When a market opens those first in make a very large capital investment on what would be not very good equipment. As the market advances the equipment becomes considerably better and a lot cheaper. However those who were first have such high sunk costs they have to "make old do" which usually makes their running costs higher as well which makes them further uncompetative. A "tail spin spiral of doom" usually follows. Have a look at British Industry during the 1970's-1990's especially heavy industry.

There is contrary to what the report implies nothing illegal in these effects. The problem is two fold,

1, Share Holders prevent businesses reinvesting sufficiently.

2, The government insists on to long a period of time over which equipment gets written off.

But in the case of PCBs and other similar engineering, the early machines were heavily manual in comparison to modern machines. And this had three other effects,

3, High labour costs.

4, Poor or variable output quality.

5, Poor optimisation of materials and work flow.

The last of these can more than double your unit costs. When I was a young engineer doing my own development I did not buy PCB material. Because there was a PCB manufacturers (Classical Circuits) a few miles away on my way home that chucked out so much scrap I could take it from their bins by the tens of kilogram when ever I needed it. They were quite happy to let me as they had to pay by the Kg to have their scrap taken away and they often put choice off cuts aside for me, just for a chat and a drink round the corner.

But with manual systems quality is generaly based on worker experience, and workers with experience expected high wages for their skills as any craftsman would. CNC and similar reduced the level of skill required in workers down to very very low levels as well as reducing staff dramatically. In some companies that resulted in there being many times the number of shop floor workers in the sales, admin and managment side, it was not sustainable. Modern PCB companies have very few staff, atleast one in the Far East I know of employes more cleaners (4) than it does managers and the IT staff(7) outnumber the sales staff(5). Outside of the owner the highest paid member of staff is one of the IT guys who writes their factory control software, and the next highest paid develops their "web presence". Twenty years ago I used to work with the owner in the engineering dept of a FMCE Telecoms company, he tells me that business is getting bad, not because of lack of work but competition from larger companies with effectively less workers per unit of productivity and other services such as component loading and test.

Yes there are US fast prototype companies but aside from being US they don't offer much over those you will find in Alibaba etc. I don't bother looking at them because their shipping costs are absolutly ridiculous to the UK. As for the UK well lets just say that having looked into some they are effectively "shop fronts" or agents for Chinese companies trying to work margins.

You also have to look at it another way. I can try and source PCB material in the UK from the likes of DigiKey, Mouser, RS, Farnell etc for doing single sided or double sided prototypes. They are going to be the wrong size wrong base material and thickness and take upto a week to arive, hence have high material and time wastage. But I then have to add the costs of etching or CNCing them which is comparitively quite high. However I can email the gerbers and have a choice of delivery times from the Far East and get ten boards with plated through holes for less cost/time than I can getting the stock in and making them myself. More importantly the more esoteric RF materials such as RT Duroid, Arlon and ceramics are not a problem, nor is gold or silver plating in whole or part. So why should I even open the DigiKey etc catalog?

Whilst I can understand some of the DoD's issues including that of security it's the elected members of the US Government who effectively killed their own defence industry by various COST initiatives. Because the specials the DoD needs were effectively subsidized by the US electronics industry in general. The industry died because of political influance and now "the chickens are comming home to roost".

If you want a vibrant and successfull manufacturing industry you need fertile ground for it Off-Shoring, Out-Sourcing, Business Process Reengineering and many more idiot ideas have killed it via quick-buck expecting Share-Holders. If you want to grow a company the last thing you need to be doing is throwing money away at share holders and the Rrvenue service. You will note that the more successfull companies are now effectively fully off shore to avoid the later. The side effect of this is that they can not brink the money back on shore to invest in the US... In the near future many of these corporates will work out how to get rid of their public share holders at which point their use to the US will be at best detrimental through lobbying...

No matter how Pres Trump may want to change things for what he sees as the better, he will not be alowed to by those politicians around him. They will only alow what they can profit by.

As with any war there are combatants and profiteers, it's no different with a trade war. You can bet your last copper penny that people are making big bucks out of the China-US trade war. At the end of the day as with other wars China will win or draw. The best the US can hope for is a draw, but more likely they will loose big longterm. The only rrason China is playing along currently is the amount it has invested in the US "to keep the peace". If push comes to shove China will take the hit as it can absorbe it better than the US can. Because the US is very fragile and in quite bad shape in many ways including in raw resources. The US has been extreamly profligate with it's resources and thus has to import much of what it needs. China on the otherhand has not been profligate. Much of the US defence and high tech industries are very to critically reliant on raw resources that China has an effective monopoly on currently. They have been using them to effectively force US manufacturing into China, where the IP has been appropriated. This was clear back in the 1990's and the US could have stopped it then, but political interests effectively stopped any action for the sake of "short-termism" and corporate lobyists. Now it's probably to late to do it relatively painlessly...

echoOctober 14, 2018 3:25 PM

I am beginning to wonder if this whole spying game shouldn't be subject to a supra national court. My reasoning being that if good governess and good civic society and equity between nations means something then apart from wars of agression which are themselves unlawul spying is irrelevant and serves no purpose. I accept this position is far short of perfect and contains many flaws but believe the question should be asked.

We have a lot of good models for what should be done but politics or more specifically some politicians often get in the way.

@Clive

It would be an extremely low bit rate but what about systems that hide encoded messages in standard text with no stenographic techniques? I know there are techniques but wondered if they could be applied in an automated and none detectable way. Of course, traffic analysis techniques can reveal schmes as we know but I wondered how far things could be pushed and how long detection could be evaded. Can a technique be hardened to withstand full data capture and historical analysis?

One thing I ahve noticed which is more a problem with psychology than anything else is common phrases tend to lose their power in the same way that people become blind to information hiding behind statistical averages. Like all things they are open to use one way or the other way. Reflecting on the destabilising and dangerous garbage produced by the intellectual alt-right they seem very driven by psychology and marketing.

@MarkH

It's fascinating hearing this whatever level you worked at. People aren't always valued for a lot of reasons but I have in my notes/databse somewhere a study which suggests that a psychological lift given in the right way not only makes you feel better and less psychologically conflicted but also becomes a self fulfilling prophecy which enhances success with life opportunities. You will have to excuse me not citing the exact study. It's a topic area which in discussion can become problematic due to perceptions.

TimothyOctober 14, 2018 4:30 PM

@ Clive

The US has been extreamly profligate with it's resources and thus has to import much of what it needs. China on the otherhand has not been profligate. Much of the US defence and high tech industries are very to critically reliant on raw resources that China has an effective monopoly on currently. They have been using them to effectively force US manufacturing into China, where the IP has been appropriated. This was clear back in the 1990's and the US could have stopped it then, but political interests effectively stopped any action for the sake of "short-termism" and corporate lobyists. Now it's probably to late to do it relatively painlessly...

I concur.

The report "Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology" – sorry for the mouthful – provides a visual (Exhibit 1) as to the level of ‘China Supply for Seven Leading Federal IT Providers, 2012–2017.’

It’s a lot.

Thankfully, I guess, both the above report and the DoD-led Interagency report provide recommendations for cultivating a secure and resilient supply chain. Hopefully less pain now than later.

Clive RobinsonOctober 14, 2018 5:57 PM

@ echo,

It would be an extremely low bit rate but what about systems that hide encoded messages in standard text with no stenographic techniques?

No stego would imply ciphers not even codes...

Whilst "phrase" codes can be made to look like natural language in small numbers of codings per communication, they quickly become to random to maintain the pretence with more than three or four codes per communication. Whilst humans can generaly spot them due to their odd or stylised form computers and AI are still on the threshold of being usefull.

Thus can you hide "ciphers" the answer is yes if you somehow modulate them on ordinary text messages. As I've mentioned before HTML tags have quite a degree of redundancy in the order you use them. Take for instance the "UN" tag and the "I" tag. If you use both around a sentence there are four ways you can arange them,

[UL][I]abcdefg[/UL][/I]
[UL][I]abcdefg[/I][/UL]
[I][UL]abcdefg[/UL][/I]
[I][UL]abcdefg[/I][/UL]

The text would in all cases be rendered identically but the tags in effect send two bits of information you can do similar with the many redundant UTF encodings.

The point being, anywhere there is redundancy you can modulate it with information.

You can certainly do these automatically but like many things the more you do it the more noticable it becomes.

With regards,

Of course, traffic analysis techniques can reveal schmes as we know but I wondered how far things could be pushed and how long detection could be evaded.

As I've mentioned, on a local area network all hosts can hear a single packet. That is some packets get "broadcast" rather than sent "point to point" similar is true of network packets sent across the Internet, in that every node they go through sees not just the packet but the time it was sent via time stamps. Such information has been used in the past to communicate information to a close node even though a host could be talking to several different remote hosts.

So yes there are ways that things can be done by abusing various routing protocols etc.

With regards,

Can a technique be hardened to withstand full data capture and historical analysis?

No and depends what you mean.

Anything you transmit can be recorded by a third party for part or all of the time. It is upto the third party what and to what accuracy they record your transmissions.

The less accurately they record the more information they lose. It's been said the NSA record times down to the nano second which is the length of time it takes light to travel just over a foot.

The question is can you somehow "cheat" this, to which the answer is probably yes. It all depends on how the NSA records what you send.

Look at it this way, do they store the time for every bit sent? Unlikely, can you vary the width of a bit by a small amount such that the accumalitive time for a network packet could be used as a signalling mechanism between two nodes. The answer is yes under certain circumstances but by no means all. But these considerations are more in the realm of theoretical rather than practical.

The main reason the NSA started using such high precision time is not to do with time but order. Look at it this way in an ordinary conversation how many different people could speak in a minute? If you only recorded time to the minute, then who said what can be put in a database easily, but in what order people said it becomes ambiguous. The finer the granularity of time you use the less of a problem order becomes when using a database or other nonsequential storage.

Thus you might use some time delay code to modulate sectet information on otherwise benign traffic. The "fingerprint" of it might well be in the database, but unless someone goes looking for that fingerprint it in effect remains hidden.

If they do go looking then the question falls to what is random noise and what is signal and how do you tell. Simplistically the closer the signal is to random noise the less chance it has of being recognised as a signal. And if it is not recognised as a signal then there is no history to be analysed.

We know from stream ciphers that inteligable information can be made to look as close to random as to not be differentiable. The usual example used is the One Time Pad, where in theory you can not tell the difference between random and information.

In radio communications there is a form of modulation called "Direct Sequence Spread Spectrum" (DSSS) it is generated in exactly the same way as a stream cipher is. Which is why DSSS is used in "Low Probability of Intercept" (LPI) covert radio systems. What works in the Frequency Domain also must work in it's inverse the Time Domain. Thus you can add jitter to the times you send network packets that to a third party can not be distinguished from random. However the second party knowing the key stream can decode the jitter and recover the information.

There is a lot more on the subject including "jamming immunity" which in network time might be caused innocently by other traffic, or deliberate by the third party. But hopefully it gives you an idea of what can be achieved by those with sufficient intent to covertly send information.

Oh even though all this information can be found in stanfard graduate level text books it's usually broken up into entirely unconnected subjects. And you are not supposed to be bright enough to put it all together...

Which obviously is the way some people want it to be especially in the US where some of it is still supposedly clasified... Yes it's security by obscurity but from their point of view the less we know or are alowed to know the less tricks we can pull on them so the easier their jobs are (all very "medieval popish plot").

My view point is they should stop shining the seats of their pants on comfy chairs and actually earn those big fat appropriations of money they get from the poor benighted tax paying citizens ;-)

TatütataOctober 14, 2018 9:59 PM

... Legitimate 4k Pub Key.

I ran the text through a base64 decoder and examined the result. It does seem to be a very basic key consisting of a modulus and an exponent, but nothing beyond that. It did make me learn a couple of new things about key formats.

No need to import the Pub Key into Kleopatra -- it might bite you in the chest ;)

Sounds ominous, is that a warning or a threat? :-) Images of the original "Alien" flashed through my head, I only ever saw that flick once, and that's quite enough.

I looked at the link provided by Clive, and began looking at the source of the HTML and noticed a bunch of ampersand-coded characters. Without looking at the rest of the thread I tried to make sense out of it, which I managed. I then began reading the rest, and found myself racing with the progressively more detailed disclosure over the last two years, which apparently culminated last week. I somehow missed all of that.

OK, so there is this 176 byte (=1408 bit block, or 11 blocks of 128 bits) which is apparently encrypted by a key somehow derived from the pattern abab -> 1010 repeated 5 times.

I got as far as to try to create a key out of the poem's scheme, but the online decoder didn't work. I somehow felt like I was in a certain novel by Italo Calvino, hopping between windows of different time, style and location.

Alas, I just found out that the solution was disclosed last week, so I'll stop here. This is what I can show for, a bit of Octave code which I commented as I went along:

-----------------------

clear;
close all;

# The ampersand codes isolated apparently have the following value:
# (after correction, see below)
# &zwn; == 0
# ‌ == 1
# The substitutions were performed with an editor

# This file is a column vector of [0..1]
load zjn;

# I got it wrong on my first try, the bits are inverted:
zjn=~zjn;

# Form a 8xN matrix. It is noticed that all leading bits
# in the first column are 0, which suggests some form of
# plain ASCII coding.
a=(reshape(zjn,8,length(zjn)/8)');

# Define 8-bit binary weights
w=(2.^[7:-1:0])';

# Multiply the bits matrix by the weights column vector,
# and convert the result to a string
b=char((a)*w)';

# Display the resulting string.
# There is an "=" at the end, and the string alphabet resembles
# base64 encoding.
disp(b);

# The Octave built-in function "base64_decode" returns some
# weird floating point garbage. That's not what I want.
# Decode the string using the external core util base64(1).
unix(['echo ' b ' | base64 -d >decoded.txt'])

# That's it. "decoded.txt" is 176 bytes long, or 1408 bits,
# which are 11 128 bit blocks.
#
f=fopen('decoded.txt','r');
c=fread(f,Inf,'uint8');
fclose(f);

# The poem indicates that the key is derived from its rhyme scheme.
# The previously obtained data string must therefore be an
# encrypted string.

# The rhyme scheme is (abab) repeated 5 times
# Substituting 1->a, 0->b, results in (1010)^5,
# but how is this extended bzw. inserted into a 256
# bit long field?

# This site recommended by Wael is apparently out of order:
# https://aesencryption.net/

# OK, this is the point where I get stuck.
#
# To Do:
# Encryption modes to try:
# (AES-) + {CBC-HMAC-SHA1' | 'CBC-HMAC-SHA256' | 'XTS'}
# openssl aes-256-cbc -d -a -in deco.txt -out secrets.txt.new

# These should somehow be decoded

JG4October 14, 2018 10:10 PM


Thanks for the continued helpful discussion.

@echo - I think that Clive regularly points out that tools are agnostic to use. It would be difficult to think of a tool that wouldn't be useful in some way for carrying out the functions of government and also for carrying out the functions of organized crime. Secure communication tools are a nearly perfect example, and also quite useful to human rights organizations, who essentially want to act against the interests of governments and organized crime in trampling human rights.

This old comment overlaps the topic of flow control pretty cleanly.

https://www.schneier.com/blog/archives/2015/08/friday_squid_bl_1.html#c6704388
...
any sequence of instructions can be treated as a trajectory in an arbitrary dimensionality n-space.
...
The trajectories can be thought of as fingerprints, in that bad trajectories (unwanted code/undocumented features) are different from the desired system operation.
...

The usual daily compendium. I included a few that require a broader than usual view of security.

https://www.nakedcapitalism.com/2018/10/links-10-14-18.html
...

Why Catastrophic Climate Change is Probably Inevitable Now umair haque, Eudaimonia and Co. (GF) Well worth a read.
...

Trump Administration Urges Saudis To Stick To Killing Random Yemeni Civilians The Onion
...

Why it’s totally unsurprising that Amazon’s recruitment AI was biased against women Business Insider

ICANN’s internet DNS security upgrade apparently goes off without a glitch Network World
...

Some plants nurture soil bacteria that keep them healthy The Economist and Underwear Measures Soil Microbial Activity AgPro

WaelOctober 14, 2018 10:11 PM

@Tatütata,

I'll share the scripts so that you can verify (and sign) messages. It uses openssl, out of all things, but it's just a POC like I said. So don't worry about "deciphering it" now.

Sounds ominous, is that a warning or a threat?

Neither! Just a caution. Check Kleopatra and the snake; a Serpent -- another crypto thing ;)

WaelOctober 14, 2018 10:18 PM

@Tatütata,

The rhyme scheme is (abab) repeated 5 times

No! The rhyme scheme is AABBA for limericks! AABBA was they AES key you needed to put for a secret at https://aesencryption.net/ -- It does not work now, so I switched to openssl. I was too lazy then but realized one can't depend on external sites... Same for quite a few links I previously embedded here, they aren't working any longer.

I can explain the previous poem later, after I share these signature scripts.

WaelOctober 14, 2018 10:46 PM

These are the scripts you need for 🔑 verification. There was a small mistake I made when I appended the signature to the message body -- I ate a couple of line-feeds, that's why the "get message" script has the last line.

#Obtain Public Key
<b>Obtain Public Key</b>
curl -s https://www.schneier.com/blog/archives/2018/10/friday_squid_bl_646.html#c6783413 \
| awk '/c6783413/{flag=1;next}/class="comment by/{flag=0}flag' \
| tail -n +4 \
| sed 's/<br \/>//g; s/<p>//g; s/<\/p>//g; $ d' \
| head -14 > pub.sig

#Get Message Body
curl -s https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6783451 \
| awk '/c6783451/{flag=1;next}/class="comment by/{flag=0}flag' \
| tail -n +4 \
| sed 's/<br \/>//g; s/<p>//g; s/<\/p>//g; $ d' \
| head -36 > message-body.txt \
; echo -n -e '\x0a\x0a' >> message-body.txt # Fix my mistake

I'll follow with some scripts that help compose the signature...

#Get Message Signature
export SCANNED=$(curl -s https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6783451 | awk '/c6783451/{flag=1;next}/class="comment by/{flag=0}flag' | awk -v RS='&[j,n,w,z]+;' 'RT{gsub(//,"",RT);printf RT}' | sed 's/&zwnj;/1/g; s/&zwj;/0/g' | sed 's/.\{8\}/& /g' | tr -d ' '); printf $(echo "obase=16;ibase=2;$SCANNED" | BC_LINE_LENGTH=2000 bc | sed 's/../\\x&/g') > message.sig

#Verify Message
openssl base64 -d -in message.sig -out /tmp/sign.sha256
openssl dgst -sha256 -verify pub.sig -signature /tmp/sign.sha256 message-body.txt

WaelOctober 14, 2018 10:58 PM

Forgot to say the signature is only performed on the body of the message. No sender, no time, no nonces, no comment number! Didn't have time for that, and @Ratio will tell you RegEx isn't my cup of tea. So don't flame me -- it's just a POC.

It's not easy to predict the comment number, and one can't reserve a comment number to include in the signature. Also, I could have included the time, but that requires precise submission time-control, which I do have (better than @Ratio, by the way, whose atomic clock is out of sync by a minute or so.)

WaelOctober 14, 2018 11:04 PM

How I composed it:
#!/bin/bash

echo "Usage: preview_signature input_file passphrase"
echo $1 # Did not have time to put command line parsing
echo $2

# Sign message
openssl dgst -sha256 -sign ../../keys/private.pem -out /tmp/sign.sha256 test_message

# Convert message signature to base64
openssl base64 -in /tmp/sign.sha256 -out /tmp/post_signature

# Convert base64 to binary numbers representation
cat /tmp/post_signature | perl -pe '$_=unpack"B*"' | sed 's/.\{8\}/& /g' > /tmp/base64_to_Binary

# Strip Binary
cat /tmp/base64_to_Binary | tr -d ' ' > /tmp/stripped_base64_to_binary

# Convert binary to invisible characters
perl -pe 's/0/‍/g;s/1/‌/g' /tmp/stripped_base64_to_binary > /tmp/embedded_signature

# Convert invisible characters back to binary
perl -pe 's/‍/0/g;s/‌/1/g' /tmp/embedded_signature > /tmp/reconstructed_binary

# Compare the two binaries
diff /tmp/stripped_base64_to_binary /tmp/reconstructed_binary

# Convert Binary to Base64
cat /tmp/reconstructed_binary | sed 's/.\{8\}/& /g' | perl -lape '$_=pack"(B8)*",@F' | head -11 > /tmp/reconstructed_signature

# Compare reconstructed signature with original
diff /tmp/reconstructed_signature /tmp/post_signature

----------

Once you compose the signature in 'invisible characters format', append it to the real message and post it. Make sure you don't overwrite the line-feeds like I did.

WeatherOctober 14, 2018 11:10 PM

head -36 > message-body.txt \
; echo -n -e '\x0a\x0a' >> message-body.txt # Fix my mistake

\0x0a\0x0d

WaelOctober 14, 2018 11:26 PM

Correction... (and I was telling @Weather to read the codes... go figure!)

# Convert binary to invisible characters
perl -pe 's/0/&zwj;/g;s/1/&zwnj;/g' /tmp/stripped_base64_to_binary > /tmp/embedded_signature

WaelOctober 15, 2018 12:03 AM

@Tatütata,

I somehow missed all of that.

Very good effort, by the way! There'll be other opportunities, I think :)

Epiloge:

Assuming I did nothing stoopid, as I am seeing double right now (19 sec video clip https://youtu.be/_u5A0H6PkqE ....) and the signature verification really works: In this exercise, there was a concept, a design, an architecture and an implementation.

Concept
I say there is a security flaw in the concept, for the following reasons:
1- The blog does not support signatures
2- Many come here over Tor (they think it protects them - lol)
3- Who wants to trade off Reputation for less Impersonation? One would give up plausible deniability to reduce the chances of impersonation -- not a good trade-off!

Design
Hmmm. Bad encoding mechanism:
1- Too inefficient
2- Occupies excessive space of blog storage
3- Not really stealthy (for confidentiality.)

Architecture
Ummm.
1- Depending on external sites is a bad idea.
2-

Implementation
1- Quick and dirty

The next iteration I had in mind... well, may be later.

TimothyOctober 15, 2018 12:49 AM

According to MeriTalk, a report from the Office of the Director of National Intelligence confirms that the U.S. supply chain is under ‘systemic assault by foreign intelligence entities.' MITRE released a report in August urging the DoD to secure acquisition and the supply chain, recommending 15 changes overall. The DoD is already taking a recommendation from MITRE’s report with a new pilot initiative called “Delivered Uncompromised" under which security guarantees are a 'forth pillar' of contract acquisition. The Pentagon and Congress are also working towards tightening up supply chain security.

MeriTalk: Microchip Hack Report Puts Supply Chain Issues in Crosshairs

DNI: Supply Chain Risk Management

MITRE: Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War

TatütataOctober 15, 2018 1:59 AM

@Ratio will tell you RegEx isn't my cup of tea.

Me neither, and there was a lot of awk and sed going around here. It hardly ever exactly works as advertised, the interpretation seems to vary too widely from one tool to the other. (e.g.: editor find-and-replace, programming library).

The rhyme scheme is AABBA for limericks! AABBA was they AES key

Oh, I understand now! The limerick is the key, not of the "howto" poem. The derived key was apparently meant to be plugged directly into that site as a kind of passphase, and not as a 256 bit wide field.

There is some defective html or ≤ / > floating around, which scr*ws searching on the page.

Tried the verification script at this end: "Verified OK". Yeah.

TatütataOctober 15, 2018 2:12 AM

@Clive:

As I've mentioned, on a local area network all hosts can hear a single packet.

That used to be mostly true on coax-based ethernets, although nodes at each extremity of a long segment of coax could have trouble talking to each others. (I remember hours of fun trying to get a bl**dy 2Mb/s ArcNet with 10-20 nodes to work properly).

But with twisted-pair based LANs, dumb hubs have being replaced by "smart" switches that route packets based on their MAC address, effectively segregating traffic between nodes. The good news is that many of these are configurable to provide "port mirroring", allowing you to use tools such as WireShark.

---
@Wael, Re: Kleopatra. I just got it! But of course!

I had assumed that the name chosen was some sort of French pun. "Clé" (newer spelling), "Clef" (older spelling) = key. So Clef-O-Patra...

Clive RobinsonOctober 15, 2018 5:30 AM

@ Tatütata,

But with twisted-pair based LANs, dumb hubs have being replaced by "smart" switches that route packets based on their MAC address, effectively segregating traffic between nodes.

Only for the majority of user traffic.

What was perhaps not clear is that I was originally talking about "Discovery" which is what the BMC network does amongst other things. It sends packets as broadcasts, otherwise protocols like BOOTP, DHCP, ARP etc would not work.

The ethernet packets being non routable uses Eth-Add FF:FF:FF:FF:FF:FF for broadcast which the switch should send to all active connections. This is inturn used usually by UDP packets where the IP subnet broadcast address host is all ones under CIDR rules which derived from a suggestion a decade back from that in the early 1980s.

So, long befor IPv6, which might account for why IPv6 does not have a broadcast address but does have multicast addresses. The configuration of which is a story for another day ;-)

echoOctober 15, 2018 8:16 AM

@JG4

Yes, dualism is a problem.

On the legal issue the UK case law says where a persons human rights hang in the balance the judgment must always be in favour of the person. I'm sure you and others realise this puts an altogether different tilt on issues. It's not much help when up against it but another snippet of critical law people are not educated about.

@Clive

I thought I was clear but obviously not. What I was trying to articulate was is there a form of "reverse fingerprinting" which works at the linguistic level which can survive historical analysis and traffic analysis. By this I mean using sentence structure and meaning structure and word choice to subtley embed a message albeit at a low bitrate.

My maths and domain knowledge isn't good enough to know whether this passes basic sanity checks.

echoOctober 15, 2018 10:04 AM

Given a senior polixe officer hid in his car with locked doors durign a low level terrorism incident when citizens werebeing stabbed in the street and another senior officer who had to resign in disgrace after a bullying scandal has been put in charge of conduct investigations this kind of performance by UK police makes me wonder whether they work for everything else but the public interest. I have little doubt this kind of political roadcrash is deliberate.

https://www.theguardian.com/politics/2018/oct/15/police-will-not-examine-claims-of-russian-meddling-in-brexit-vote

Police will not examine claims of Russian meddling in Brexit vote. Met outlines scope of any inquiry as campaign group takes government to court.

echoOctober 15, 2018 10:54 AM

https://www.standard.co.uk/news/uk/nearly-18000-members-of-british-armed-forces-are-obese-a3961466.html

Nearly 18,000 members of the British armed forces are clinically obese, figures show.

The stats show 398 troops have Type 2 diabetes, 160 personnel have been prescribed diet pills and 16 given liposuction.

As of July 2018, there were 8,662 obese soldiers in the Army, 4,666 in the Royal Navy and 4,274 in the Royal Air Force.

The figures, obtained by the Mail on Sunday under the Freedom of Information Act, also show more than 30,000 troops are considered overweight, based on the body composition measure (BCM).

"The envy of the world."

"Gold standard."

"Punching above our weight."

WaelOctober 15, 2018 11:31 AM

How to sign a message -- helping script

Script name: preview.sh
Message to be signed and posted: test_message
Private / Public keys: Look here for simple instructions
make sure you do a chmod +x (or 755, or whatever suitable for you) preview.sh

Script starts with#!/bin/bash, below

#!/bin/bash

echo "Usage: preview_signature input_file passphrase"
echo $1 # Did not have time to put command line parsing
echo $2 # You'll need to read in the passphrase for private key access
echo $3 # And take switch arguments to perfome the needed task

# Sign the test message to be posted
openssl dgst -sha256 -sign ../../keys/private.pem -out /tmp/sign.sha256 test_message

# Convert message signature to base64
openssl base64 -in /tmp/sign.sha256 -out /tmp/post_signature

# Convert base64 to binary numbers representation
cat /tmp/post_signature | perl -pe '$_=unpack"B*"' | sed 's/.\{8\}/& /g' > /tmp/base64_to_Binary

# Strip Binary. Stripping spaces is needed or a lot of extra spaces will be shown.
# a dead give-away that something is going on.
cat /tmp/base64_to_Binary | tr -d ' ' > /tmp/stripped_base64_to_binary

# Convert binary representation to invisible characters.
# It's not really binary in the sense of base-2, but 1 and 0 represent
# the two available symbols. If you use the other invisible symbols,
# you can improve the encoding. Not all invisible symbols can be used, btw.
# And some have to be used with caution.
perl -pe 's/0/&&zwj;/g;s/1/&&zwnj;/g' /tmp/stripped_base64_to_binary > /tmp/embedded_signature

# Convert invisible characters back to binary representation
perl -pe 's/&zwj;/0/g;s/&&zwnj;/1/g' /tmp/stripped_base64_to_binary > /tmp/embedded_signature

# Compare the two binaries - make sure reversing the operation works before you post a signature. This way, you get cofidence that the reconstructed information matches the original.
diff /tmp/stripped_base64_to_binary /tmp/reconstructed_binary

# Convert Binary representation to Base64
cat /tmp/reconstructed_binary | sed 's/.\{8\}/& /g' | perl -lape '$_=pack"(B8)*",@F' | head -11 > /tmp/reconstructed_signature

# Compare reconstructed signature with original
# If diff passes, no output will be shown.
diff /tmp/reconstructed_signature /tmp/post_signature

# End of script
----------

Once you compose the signature in 'invisible characters format', append it to the real message and post it. Make sure you don't overwrite the line-feeds, otherwise you'll have to account for that.

WaelOctober 15, 2018 11:58 AM

@Tatütata,

Tried the verification script at this end: "Verified OK". Yeah.

Thanks!

I had assumed that the name chosen was some sort of French pun

I don't know French - for future reference.

The limerick is the key, not of the "howto" poem.

Explanation, with details.

Steganography ain't lame, Notepad is the trend;

There is some steganography in the body of the message! It uses "invisible characters".
To unhide and extract the hidden text:

After you de-steganogyphize the hidden text, it's time to decode it!
@Ratio did that and called it "gibberish"

Cryptography's the game, But vi's your friend!

There is also a Cryptography component -- fulfillment of: "Oh, that's coming. Count on it :)", "vi" is a hint to the nature of the hidden text.

Don't run out of steam; Remember, and you'll be done;

Pay attention to the instructions within this "poem", it will make you life easier, so don't give up.

The key's the rhyme scheme,

The key is "AABBA" -- the rhyme scheme of limericks. That was the promised deliverable, so to speak.

Replace B with zero and A with one

Replace AABBA with 11001
After you de-steganogyphize the hidden text, it's time to decode it!
@Ratio did that and called it gibberish"

7CzVhqvZZnkzXwlO3FF9bd7bv9dS3ydl+DmJHhZoO8Vfmgp6kd23qISfDAehc9F79ONwCKDAYjHFnZ5odq0JC2M1i8o4XUyGC3fv2dsbYzadP6zlL+aPQvAv6GC5h5YfE7BuGjOahID1OFZKDAyOkAps1O/8xj61/mfQXnWEXIZ9frvytVWD+PPSJfFgdVSPUV9GKgtvQuj+zbnspsKLufLtsuAymxHRN1dxDTB8hww=

You have enough information and scripts to be abe to extract the above ;)

Know that I keep my word; I have class. On Schneier's Blog of Cryptology...

I kept my promise, and on this blog,

My limerick immortalized your *ss

I fullfilled my promise: "Don't make me immortalize your rump with a Cryptographic limerick, ok?"

With an inscription of your Eulogy

He left, and effectively "died", and requires a "Eulogy" to "immortalize" him. Inscribed on the walls of this blog - his tombstone, so to speak ;)

The limerick is wrapped in AES, OpenSSL is a loosing bet; With a 256-bit key -- no less!

Need to decrypt using AES. But do not use openssl! The key length is 256 bit

Decrypt with https://aesencryption.net
Go to https://aesencryption.net , and:
Put

7CzVhqvZZnkzXwlO3FF9bd7bv9dS3ydl+DmJHhZoO8Vfmgp6kd23qISfDAehc9F79ONwCKDAYjHFnZ5odq0JC2M1i8o4XUyGC3fv2dsbYzadP6zlL+aPQvAv6GC5h5YfE7BuGjOahID1OFZKDAyOkAps1O/8xj61/mfQXnWEXIZ9frvytVWD+PPSJfFgdVSPUV9GKgtvQuj+zbnspsKLufLtsuAymxHRN1dxDTB8hww=

in the "Plain or encrypted text here" box
Put 11001 in the "Key of the encryption" box
Select 256 bits
Click the "Decrypt" button

I know the so-called poem sucks so don't show me contempt
Beauty is in the eye of the beholder ;)
Thank me for not using f*cks; Tell me read this before a lame attempt
The limerick is surprisingly not vulgar. Read the document before you blame me ;) And the resulting decrypted limerick is:

There once was a guy named ianf
Who messed with wrong blog staff
Clive and I tore him a few new ones
So he ran away from the nuisance
And joined his banned fellow Riffraff

I had to maintain some level .f subtle vulgarity in it. It's a limerick, after all!

PS: I am not sure whether the web site had a bug or I put AABBA instead of 11001. UNlikely that I made that mistake, but I am not certain. I think I tried both,

WeatherOctober 15, 2018 4:13 PM

BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BNhf0wjCM

A)00011000110111011111110111010111000111

B)
MIICIjANBgkqhkiG

C)
9w0QEF08KE4f0w

Encrypted)

���MIICIjANBgkqhkiG9w0QEF08KE4f0w

Clive RobinsonOctober 15, 2018 4:28 PM

@ BSPMBS,

There goes my travel plans to New Zealand!

You could wait a little while and ask our host @Bruce, NZ is on his travel plans in the near future.

Mind you as NZ is know as "The last bus stop before the south pole" @Bruce could like quite a few "US Entrepreneurs" be looking for not just a "quickie NZ citizenship" and a major mansion, but also a 60month bunker to ride out the neo-XXX predicted "uprising of the great unwashed".

When of course the tree of liberty gets a bath in the blood of patriots and tyrants... As foretold by some old US geezer who obviously can not be trusted because he did not have a beard a hipster would be proud of ;-)

Bong-Smoking Primitive Monkey-Brained SpookOctober 15, 2018 4:40 PM

@Clive Robinson:

As foretold by some old US geezer

Same abomination as this one:

forge a birth certificate for "Jamaica Hospital, New York" as some one who looks like a Shetland Pony with a comb over is "alleged" to have done ;-)

Or is it a different whacko?

Clive RobinsonOctober 15, 2018 5:50 PM

@ BSPMBS,

Or is it a different whacko?

Tommy-J was long gone before The Doh-gnarled, but they could have been hacked from the same whole cloth. TJ made the usuall sound bytes like "all men are created equal" which realy ment some are realy "more equal than others", hence his plantations kept ticking along on slaves. And he was not averse to taking them to his bed especialy after his wife died... So on that score the Doh-gnarled could be said to have to do a bit of catching up, but only by a bit...

But in other areas TJ was not just highly educated, he had fingers in many pies unlike U-nuz-Ho. Some only half jokingly say he has but one finger and has trouble between picking his nose and his bum, which might account for his mood swings. Any way with such little hands it's kind of difficult to count, so a prime candidate for the "ring or the watch" joke...

EdwinOctober 15, 2018 5:55 PM

Bong-Smoking Primitive Monkey-Brained Spook

Re yr name: nomen est omen. Anyway, I hope not.

Liked your Freudian slip


"Same abomination as this one: forge a birth certificate for "Jamaica Hospital..."

Did you by chance refer to the kenyan born U.S. abomination 100 % uma delicia?

Clive RobinsonOctober 15, 2018 6:10 PM

@ Edwin,

Did you...

No it was me that brought it up...

Somebody was arguing the other day in the meat space i frequent from time to time, that the best place to hide is as the spokesperson for your chosen enemy. The conversation moved on as such things tend to do to deeds and actions. Where it was pointed out that the best way to hide something about yourself is to accuse another person of what you are trying to keep hidden...

So if you look up my original comment, and then look up a person who repeatedly accused another of having a fake birth certificate then "the penny will drop" as they say...

PeaceHeadOctober 15, 2018 6:20 PM

" Non lethal technology was included into NATO military doctrine due to their effort:

"At the initiative of the USA, within the framework of NATO, a special group was formed, for the perspective use of devices of non-lethal effects" states the record from the session of the Committee on Security of the Russian State Duma (29).

The report published by STOA states:

An interesting nugget of data from the internet. Can anybody shed some insight on this topic?
It relates to the components of security that relate to actual human safety rather than just digital safety/security or intellectual property rights safety/security.
For those who aren't total skeptics, you probably comprehend that when technologies go "straight to the cranium", in a malicious and/or dangerous manner, those technologies certainlypossibly hamper that person's ability to manage security as well more critical activities such as basic survival activities.

Skeptics, please hold off for a while, I'm not inviting rebuttals, I'm seeking additional info on the topic quoted below. I'm not trying to convince people of anything and therefore you aren't required to try to convince me of the contrary either. The quote is right here...

"In October 1999 NATO announced a new policy on non-lethal weapons and their place in allied arsenals" (34). "In 1996 non-lethal tools identified by the U.S. Army included directed energy systems" and "radio frequency weapons" (35) - those weapons, as was suggested in the STOA report as well, are being associated with the effects on human nervous system.

According to the Russian government informational agency FAPSI, in the last 15 years, the U.S. expenses on the development and acquisition of the means of informational war grew four times and at present time they occupy the first place among all military programs (17),(3).

Though there are other concepts of informational war than mind control, the unwillingness of the USA to engage in the negotiations aimed at the ban of the manipulation of human brains might indicate their intent to use those means in internal as well as international affairs.

One clear consequence of the continuation of the apparent politics of secrecy surrounding technologies enabling remote control of human brains might be that the governments, who would own such technologies, could use them without having to take into consideration the opinion of the general public.

The concept of the democratic world would be, though secretly, disrupted in this way, and in the future the world populations could live in only fake democracy where their own or foreign governments might, by means of secret technologies, shape their opinions. "

@echo: With much respect, please don't succumb accidentally (or otherwise) to feeding the openers of Pandora's Box a lockpicking set or any kind of enticements. When I initially posted contents here about quantum stuff it was as a warning sign of dangers and risks and why that field needs to back down from threatening existence just to know what existence is. It was not my intention to turn that field of ideas into a clearinghouse of data nor typical coffeetable fodder for us cryptotypes or anyone else. It's quite serious the myriad ways that arrogant military, intelligence, government, corporate, overzealous fellowships, and physicist types put us at constant risk with their attempts to implement their lofty ideals. The constant threats and realities of total compound distasters just isn't enough to keep them away from Pandora's Box. Peace be with you, nevertheless.

echoOctober 15, 2018 6:34 PM

This discussion is becoming pretty sexist in the sense it's quoting memes created by the long tail of men benefiting from an unequal society. This misses out 50% of the map and also adds a kenetic skew which pushes out resource based security.

Melania is as toxic as Donald. In the UK I have been keeping my eye on women's issues in the media.Because of the way articles are phrased and sidelined as "women's issues" men miss a lot of very obvious things. One item is victim blaming women then twisting and forcing "workfare" which has the effect of completely shutting down discussion of political accountability and economic damage. Issues such as homelessness which were promised solutions have been silenced and actually become worse which indictes failures at the administration level.

Framign and misdirection are very powerful because of the way our brains are wired. Weseem to lack the intellectual pillars today to keep things on the straight and narrow and also the right degree of appropriate scrutiny to analyse exactly what is being said.

PeaceHeadOctober 15, 2018 6:41 PM

Oddly my previous entry did not post correctly.

I believe the post was edited by another user while in transit. The paragraph sequencing is disturbed.
Please start with paragraph beginning with "An interesting nugget of data from the internet. Can anybody shed some insight on this topic? "

Then read the rest of the entry, and read the beginning paragraphs last. Obviously, the section to "echo" is separate in terms of both semantics and syntax and pragmatics, but you can sort that out mentally if you are competent mind.

Also, just a note... I will be frequenting this site probably much less than in the past. I feel that this section of the site is interesting yet unfortunately vulnerable to conflicts of interest for people like me, (and probably for people not like me). And I feel that I can't sustain my presence here due to the ethical and other costs to me and others if this site section devolves or if it gets taken over by hostiles.

Peace and goodwill to those trying to enhance security for a maximum quantity of lives and minds rather than trying to incite more chaos into this already ihstable world.

Please be careful.
Sincerely, PeaceHead

P.S.-I took down my other web address because I didn't want an innocent person or persons to be put at risk because of my minimal cultural references to their aesthetic digital contents. Other copies remain in the wild, and that's a good compromise.

EdwinOctober 15, 2018 6:41 PM

Clive Robinson

Yep, the wet market, as we call that place. You probably refer to the meat section at Waitrose's. Other countries, other customs.

For the rest, am a bit confused (you mentioning an "enemy") but then again, the structure of the blog doesn't help either.

Btw had a good laugh. Now, it seems the NPCs are even implying Russia was behind the Brexit outcome. Fits: Guilty until proven innocent. But I still like beer, I always liked beer (as long as it is not warm).

There was no Brexit vote but rather a non-binding referendum. That first. And second, the U.K. unfortunately never will leave the E.U. Soros already is financing campaigns for a new referendum.

And what most forgot: The PM was, prior to becoming PM, one of the most ardent remainers. That much for interference from Russia.

So, next time at Waitrose's be careful. You never know what Ghlademeer has gotten up his sleeve.

EdwinOctober 15, 2018 6:48 PM

PeaceHead


"Oddly my previous entry did not post correctly.

I believe the post was edited by another user while in transit. The paragraph sequencing is disturbed."


Must have been the Russians. They're also at Greggs, btw. I already told Clive to watch out for Ghlademeer.

Clive RobinsonOctober 15, 2018 6:51 PM

@ echo,

By this I mean using sentence structure and meaning structure and word choice to subtley embed a message albeit at a low bitrate.

Kind of reverse of a "document canary", where linguistic changes form a serial number to trace back a traitor/whistleblower.

I think it was Francis Bacon[1] that first came up with that sort of idea (but as with much early crypto you only get to hear about "the bad and the ugly"... As for "the good" Billy Shakespeare nailed that with the "lend me your ears" speech where he said "The good is oft interred with their bones.” so let it be with cipher...

Such linguistic coding is often used in common parlance to mean the opposit of what is being said either by a look or over egging the pudding thus the now infamous "He's a real winner"[2]. It is rumoured that women do this rather more than men, especially when the target of such comments is well within listening range.

So yes if someone is known privatly to have certain beliefs etc then negating them or not could be used to send a "one" or "zero". However knowing someone well enough to send more than a couple of bits would become quite onerous and error prone.

Even asking a wife what her husbands favourite meal is, is likely to flounder because of the base assumption there is an all conquering choice. For instance the fact I like eating potatoes and greens does not a meal or a favourite make, and my tastes definitely change with not just the season but the location and even the company.

[1] https://www.peterharrington.co.uk/blog/knowledge-is-power-shakespeare-bacon-modern-cryptography/

[2] Speaking of infamous sayings there is the old "Infamy, infamy, they've all got it in for me".

EdwinOctober 15, 2018 7:38 PM

Scott Morrison says it's 'regrettable' his senators backed Pauline Hanson's 'it's OK to be white' motion


Prime Minister Scott Morrison has described as "regrettable" his own senators' decision to back a motion declaring "it is OK to be white", while the Coalition's leader in the Senate has apologised and blamed an "administrative error"


The motion, moved by One Nation leader Pauline Hanson yesterday, was narrowly defeated 28 votes to 31, despite the Coalition's backing.

It called on the Senate to acknowledge the "deplorable rise of anti-white racism and attacks on Western civilisation" and that "it is OK to be white".

Facing an almost immediate backlash, Attorney-General Christian Porter, whose office directed Coalition senators to vote in favour of the motion, defended the move on social media.

"The Government senators' actions in the Senate this afternoon confirm that the Government deplores racism of any kind," he said.


http://www.abc.net.au/news/2018-10-16/morrison-regrets-senators-backing-anti-white-racism-support/10381038

Little LambOctober 15, 2018 8:02 PM

@echo

sexist in the sense it's quoting memes created by the long tail of men benefiting from an unequal society. This misses out 50% of the map

I don't want to take you out of context, but not quite. The "system" we speak of still treats women as property. There is a patriarchy at work, just as the more educated feminists have explained to us, especially since the civil rights era of the 1970s.

About 10% of the men at the top are the patriarchs with the economic and political power. They do not admit many (if any) women this high in the political power structure, and they rudely shove the remaining 90% of men out of the way as undesirable competition for mates in their vicious game of social Darwinism.

In short:

  • Most women are property.
  • Most men are unwanted competition.

No one is happy with this system except for a few wealthy political elites, who in fact do tend to be exclusively male.

Transgender, etc.? Property if they work at the strip club, undesirable competition for socially rationed resources otherwise.

echoOctober 15, 2018 9:32 PM

@Clive

Kind of reverse of a "document canary", where linguistic changes form a serial number to trace back a traitor/whistleblower.

Yes although done at a more clever mathematica level than the examples you cite. I think the idea was in my brain somewhere and reading about turbulance theory triggered this.

This is neatly encapsulted by your supplemtary comments about food. Funnily enough I said something complementary loudly within a man's hearing distance this which may have been over-egged or reasonable depending on perspective and heard him retort with a mocking "Yeah, right". I have an idea what this was for but, deep sigh, I know the statistical basis for this so not eternalising my emotional wellbeing.

@Little Lamb

Fair comment.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.