The UK’s Marine Conservation Society is urging people to eat less squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Spanish translation for “The Eternal Value of Privacy” is unavailable. Pls check, value of that fundamental essay is just too high to be unavailable to the 500MM Spanish speaking individuals around the world. Thanks. Freedom.Libertad.
https://elpais.com/elpais/2018/10/10/inenglish/1539186888_353824.html – Cybersec Guardia Civil Top Officer heads up and offers Spanish Parliament a grim cyberwar panorama in the following years – El Pais newspaper, digital edition.
InSecure • October 12, 2018 5:56 PM
Easy DNA Identifications With Genealogy Databases Raise Privacy Concerns
https://www.npr.org/sections/health-shots/2018/10/11/656268742/easy-dna-identifications-with-genealogy-databases-raise-privacy-concerns
“In a paper published Thursday in the journal Science, the researchers projected that they could identify third cousins and more closely related relatives in more than 60 percent of people of European descent. (They chose this group because most people in their database have that ancestry.)…In another part of the study, the researchers went even further to see if they could do the same thing with other DNA databases. They were able to use their techniques to identify a supposedly anonymous woman whose DNA was stored in the 1,000 Genomes Project, a National Institutes of Health research database.”
A MAP OF EVERY BUILDING IN AMERICA
https://www.nytimes.com/interactive/2018/10/12/us/map-of-every-building-in-the-united-states.html
Graduate Student Solves Quantum Verification Problem
https://www.quantamagazine.org/graduate-student-solves-quantum-verification-problem-20181008/
“Now, after eight years of graduate school, Mahadev has succeeded. She has come up with an interactive protocol by which users with no quantum powers of their own can nevertheless employ cryptography to put a harness on a quantum computer and drive it wherever they want, with the certainty that the quantum computer is following their orders…Using classical cryptography in the quantum realm is a “truly novel idea,”
Clive Robinson • October 12, 2018 7:19 PM
More scathing poured on Bloomberg
It just gets worse for Bloomberg, yet another TechComment site dumps a bucket or two of scorn on their “China Implant” stories,
At this rate how long before somebody official in SEC etc wakes up and takes a look…
Clive Robinson • October 12, 2018 7:25 PM
@ InSecure,
Graduate Student Solves Quantum Verification Problem
@echo posted this a few days ago, and I had a couple of reads through it. There’s actually a lot to digest in the work and I can see some implications to it other than that which was desired.
AlanS • October 12, 2018 8:55 PM
Krebs interview: Supply Chain 101: An Experts View
MarkH • October 13, 2018 3:04 AM
On Genetic Identification
To supplement @InSecure’s comment above, here’s another story (from wired.com).
Some thoughts:
At least one commenter proposed that the situation called for privacy protections, but the problem here seems nearly intractable, because other people have the right to disclose their personal data in whatever manner they see fit, regardless of how little or how much it may effectively disclose about me.
I don’t see how I could justly assert a right that would restrict their right of disclosure.
Some good news, is that more violent criminals are likely to be apprehended. Another bit of good news, is that (as far as I have imagined it), in typical situations other than violent crime, there would be little occasion and/or incentive for gathering DNA for purposes of identification.
The disturbing news, is that this capacity will be misused in ways I haven’t foreseen, and perhaps noone has yet invented … but it’s sure to happen.
Clive Robinson • October 13, 2018 4:37 AM
@ MarkH,
in typical situations other than violent crime, there would be little occasion and/or incentive for gathering DNA for purposes of identification.
Whilst that might be true for the US it is certainly not true for other nations. The UK has had several cases of DNA being taken without sufficient cause and it being kept indefinitely on Police and Govetnment databases as well as some test house and other commercial DBs.
The point is “knowledge is power”, and people will not willingly give up such power once they have it.
For instance back in East Germany after it’s fall the government were found to have jars containing peoples used under clothing that had been taken without their conscent. The apparent purpose was just incase they became “wanted” the government had suitable material for the use of tracker dogs… Leap forward a few years into a united Germany and suddenly it’s found that the new government is up to the old Stasi trick again for what apprears to be entirely political reasons underneath,
http://news.bbc.co.uk/1/hi/world/europe/6683803.stm
I’m reasonably sure if we were able to look we would find such abuses in every nation on earth in one form or another. Because that is the very essence of “Power Politics” which various people will never give up even unto the day they die (J. Edgar Hoover being just one well known example).
Carl • October 13, 2018 4:47 AM
From the latest book, page 212: “Much of the damage caused by cyberattacks is psychological.”
Would anyone know of some research on the topic, focused on corporate victims and defenders? After some searching I was able to find:
Immune from Cyber-fire, The Psychological & Physiological Effects of Cyberwar ; by Gross, Canetti, Waismel-Manor.
There are quite a few articles on effects of cyber-bulliying, but coud not find much on psychological effects of targeted cyberattacks on corporations and government/public institutions. If you are aware of any research material, please post some titles and authors.
Thanks.
CallMeLateForSupper • October 13, 2018 7:09 AM
No good deed goes … appreciated. If I were the hacker, I’d un-patch the routers of the “outraged”.
“A Russian-speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals,
“Alexey has not been trying to hide his actions and has boasted about his hobby on a Russian blogging platform. He says he accesses routers and makes changes to their settings to prevent further abuse.
“I added firewall rules that blocked access to the router from outside the local network,” Alexey said. “In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions.”
“But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said “thanks,” but most were outraged. [,,,] Internet vigilante claims he patched over 100,000 MikroTik routers already.:
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/
Joshua Pritikin • October 13, 2018 8:36 AM
Better to eat no squid. Squid is loaded with cholesterol. See the effect of dietary cholesterol on blood cholesterol.
Little Lamb • October 13, 2018 9:09 AM
Eat more pollock and less squid.
Interesting. If we were to stay to the facts, pollock is made into surimi, fake crab, “krab,” so-called “California” style sushi rolls, etc. Cheap and plentiful, but over-processed and not available to the consumer as the whole fish. No sport or non-commercial fishing for pollock, either.
Sounds like a generic term for waste flesh of various species of fish. The word is basically a racial slur for a Polish man, not necessarily a particular fish.
Moving on to allegory, because this is simply too fishy for fact, this is a general order or threat from the political left (??) to fall into “pol”-itical line and stay away from squid-themed security forums.
Now I’m sure that many (if not most) folks on this forum consider themselves “liberal” in some sense of the word, but computer security in general is too “elitist” for a certain political hoi polloi out there, who demand easy access to others’ computers under some mob-like color of authority or law. Our elitism is off-putting to “them” when “we” on this forum tend run our computers like Swiss banks, i.e., too “conservatively” when it comes to security.
(??) We have “too much money” in the computer industry, have acquired “limousine liberal” syndrome, and are being attacked from the political left by a certain crowd that is less technically inclined than we are. Remember hackers are “‘leet” or “37337” etc.
Clive Robinson • October 13, 2018 9:09 AM
@ The usuall suspects,
You might find this paper of interest,
https://arxiv.org/pdf/1706.07257.pdf
It’s an analysis of 21 recent “Control Flow Analysis” systems.
As older suspects know I’ve discussed this technique quite some time ago on this blog as a small part of getting “process signatures” to be monitored by a Hypervisor to detect changes in behaviour in software that might well indicate malware etc.
Little Lamb • October 13, 2018 10:54 AM
@MarkH
indirect DNA identification, before this demonstration that it already works for most Americans
Electron microscopes are damned expensive, and that Watson-and-Crick stuff is too small for the jury to see. Yeah, at the lab you “know what happened” and don’t need to get into all the technical details. Just print out the results and give the standard educational slide show for the jury.
gathering DNA for purposes of identification
Some “G-man” investigator as seen on TV happened to see a lipstick stain on a wine glass left on the table at a restaurant, wiped it off with his handkerchief, sneaked a peek at the restaurant receipts and found his “match.”
misused in ways I haven’t foreseen
The ladies were playing BINGO at Finn Hall next door, they got their “DNA match” XY on 1,000,000:1 odds, and they called blackout.
They checked their horoscope in the paper after finishing the crossword puzzle, and oh, yes, “that guy” was there at that time and place, and there are “witnesses” willing to “come forward.”
Alyer Babtu • October 13, 2018 11:33 AM
less popular UK species such as … herring …
The article is talking about the UK, right ? Is nobody having kippers for breakfast and high tea any more ?
MarkH • October 13, 2018 11:45 AM
@Clive:
The examples you offered, of improper collection or retention of identifying material, somewhat underscore the point I was trying to make.
Probably if somebody took a personal item to obtain a sample of my DNA, they already knew who I am. That action would not serve to discover my identity, but rather to facilitate future identification of me by means of trace evidence.
The gist of the new research, is that this step probably isn’t necessary anymore.
It seems to me that scenarios where a “snoop”
• has an identifiable and likely uncontaminated sample of genetic material;
• doesn’t know who left it; and
• has good reason to suspect that this unknown is a person of interest …
are rather limited, though surely they will arise.
For example, nobody needs to steal the contents of the rubbish bin by my house to find out my identity. There are much easier, cheaper and more deterministic ways to find out whose house it is!
A very thorough analysis of this rubbish, however, might identify most persons who spent more than a short amount of time in my house during the week in which the rubbish accumulated. I suspect that such a process would be very costly, though as techniques and automation improve, it will only get cheaper.
Such analysis might also identify my postal carrier, people who handled food packaging at the markets, and perhaps some other cast of characters as well …
This recently evolved ability to identify people will undoubtedly be used in frightening and dangerous ways. There will be some point at which motivation, feasibility and cost-effectiveness suddenly converge, and exploits will happen. I lack the foresight to predict where this may be.
NOTE: By my understanding of US law, law enforcement officers need a search warrant to take items from my home or rubbish bin as a way of gathering DNA samples or any other kind of evidence. However, they can collect such items from a public space without a warrant. It has become fairly common to follow a suspect in order to gather a paper drinks cup or cigarette butt discarded in a public space, in order to get DNA to compare with crime scene samples.
@Little Lamb:
As far as I understand the matter, the processes of DNA identification are essentially chemical, and don’t involve any use of an electron microscope.
Gunter Königsmann • October 13, 2018 12:34 PM
About the device implants: since every pci device can come with windows drivers (my graphics card emulated an usb bus connected to an usb memory key filled with signed drivers that could be installed automatically for this purpose) and/or uefi extensions I guess that
1) if the apple and Amazon servers didn’t contain an implant this time such implants will be found somewhere at some point in the future and
2) Spionage devices might really as small as the devices Bloomberg has shown: they need less memory than a 200 Gigabyte transflash card and for interfacing an pcie or usb bus it does need only about 4 Pins…
…all one has to get is a key for signing the software inside the device.
Little Lamb • October 13, 2018 12:37 PM
Mat-Su Borough got hacked to the tune of $2,000,000 after some male teacher was accused of improperly patting the wrong child on the back or something like that.
Anyways, it sounds like the database technicians discovered that the sex offenders DNA registry database was corrupt when they attempted to restore it from backup, and they were scrambling to get off the property before they got arrested for possession of child pr0nography, you know, being on school grounds and all, so they had to hire an outside security consultant, and a bunch of lawyers, accountants, and auditors got involved, but they can’t find really find a babysitter for their kids while they’re working on it.
Gunter Königsmann • October 13, 2018 12:45 PM
Actually my small aspire one netbook came with a few pads for internal connectors additional hardware could be soldered to: an data hard disk, additional pci hardware and a few pins of one connector could be used as a. Additional usb bus.
I guess they included all that for future extensions or for versions with internal GPRS Chipsets, a real hard disk drive instead of an SSD or just for qualification tests. But – that means that places one could add spying devices to exist even in relatively simpke designs. Note that most standard integrated peripherals that aren’t part of the main chipset are pci or usb ones.
JG4 • October 13, 2018 1:50 PM
The first excerpt is not far off what I perceive as The Real Clive’s views. I don’t recall him saying that anyone working for the man has to make a choice. John Boyd explicitly said that everyone has to make a choice between being someone (acceptable to the system) and doing something (intrinsically unacceptable to the system, otherwise the system would do it). Tragic that Big Tech and Big Data aren’t mentioned here, because that precisely is where some of the largest thefts are happening and being rewarded richly.
https://www.nakedcapitalism.com/2018/10/clive-naked-capitalism-ammunition-war-information-2.html
…
For those of us on the inside, we don’t deserve any sympathy. But I’d like to offer a glimmer of insight into the conflict that those of us with any sort of conscience wrestle with because it is a conflict which is going to shape our societies over the next generation.
Increasingly, if you want to get and hang on to a middle class job, that job will involve dishonesty or exploitation of others in some way. Industries such as finance have seized and held onto larger and larger proportions of the economy.
The same disproportionate growth can be seen in financialised healthcare and finacialised education. Naked Capitalism has broken story after story of how these businesses have demonstrated a near-endless capacity for scandal, fraud and wrongdoings of every conceivable sort.
…
I want to raise again the question of quasi-anonymously sharing information, say via photobucket, imgur, pastebin or similar vehicle. I’d like to have a more robust discussion of releasing designs into the wild, of which I have many. I am acutely sensitive to the fact that “helpful to human rights activists” means “useful to organized crime.” It may be helpful to consider whose crimes are the most organized on your planet.
The usual daily news compendium.
https://www.nakedcapitalism.com/2018/10/links-10-13-18.html
…
Big Brother is Watching You Watch
Facebook cyber attack sees data stolen from 29 million accounts in its largest ever data theft abc.net.au (Kevin W)
Cyber tests showed ‘nearly all’ new Pentagon weapons vulnerable to attack, GAO says NPR (Chuck L)
…
The US State Department withdrew Hillary Clinton’s security clearance and those of several former Clinton aides Business Insider (Kevin W)
…
Black Injustice Tipping Point
Retired firefighter found guilty for shooting at lost black teen on doorstep NBC
…
Clive Robinson • October 13, 2018 3:18 PM
Is SEC waking up to Cyber Security
https://www.nytimes.com/2018/10/08/business/dealbook/voya-sec-cyber.html
SEC has “Identity Theft Red Flags Rule” legislation for PII and similar protection, but has left it languishing in some dark corner for five years.
However Voya Financial Advisors, the investment advisory unit of Voya Financial were so “willful” in their negligence that finally SEC blew of the dust and draged the legislation out into the light of day to censure Voya with a “cease and desist order”.
However it is estimated that the majority of financial enterties that fall under SECs purview are actually failing to meet the requirments in one way or another as they have not appeared in guidence information…
I guess we will now see a whole new cottage industry spring up around this.
Clive Robinson • October 13, 2018 3:42 PM
@ Thoth, and the Usual Suspects,
You might find this page on large integer code of interest,
Clive Robinson • October 13, 2018 4:17 PM
@ BSPMBS and others,
With regards Turkey and the disappearance of a Saudi Journalist in the Saudi consulate a question got possed,
Well the House of Saud has it’s fingers in many pies. Not least of which is the US “Silicon Valley” companies, which the previous US administration held in high esteem
https://www.nytimes.com/2018/10/12/opinion/silicon-valley-saudi-arabia.html
Whilst the previous US administration held the companies in high esteem, more recent events suggest that that was in some cases misplaced.
It would appear that some of the money behind these companies was funneled into unhealthy relationships with very right wing politics, then into Russia, and then back out into attempts to rig various elections around the world via Social media and some more unplesant activities upto and including “wet work”…
On a similar note it would appear that the authoritarian leader of China might well be starting a significant backlash against the rich and non party powerfull,
echo • October 13, 2018 4:28 PM
I caught a lot of science news this week. I have linked to a handful of these artciles. The first involves data transfer via gravity which may be of communications security interest.
The other articles I linked to are mostly general science relating to big questions about dark matter and the theoretical issues surrounding turbulence which is a really interesting examination of simplicity and complexity and state changes. I offer these as more food for the mind than any specific observsation.
The forth article covers objectivity and bias in science. While the article mostly focuses on women’s struggles with sexism in conjuction with Desmond Morris’s (?) theories of hierarchial rigidity I propose that the article be read bearing in mind both contexts.
The fifth article notes a breakthrough in photonic computing which may have implications for data processing bring faster processing sooner, enabling the processing of more and more complex survellience data.
Sorry. I couldn’t keep adding articles. This will do!
https://phys.org/news/2018-10-mathematicians-possibility-gravitational.html
Mathematicians confirm the possibility of data transfer via gravitational waves
RUDN mathematicians analyzed the properties of gravitational waves in a generalized affine-metrical space (an algebraic construction operating on the notions of a vector and a point) similarly to the properties of electromagnetic waves in Minkowski space-time. They report the possibility of transmitting information with the help of nonmetricity waves and transferring it spatially without distortions. The discovery could lead to a new means of data transfer in space, e.g., between space stations. Their results are published in Classical and Quantum Gravity.
https://curiosity.com/topics/some-physicists-think-time-may-be-slowing-down-and-will-eventually-stop-curiosity/
Some Physicists Think Time May Be Slowing Down — and Will Eventually Stop
The universe is expanding at an ever-accelerating rate. At least, that’s what the vast majority of scientists would have you believe. But according to a team of Spanish physicists, it may not be the expansion of the universe that’s changing rate, but time itself. Time might be slowing down, and that means that it could eventually stop altogether.
https://www.quantamagazine.org/famous-experiment-dooms-pilot-wave-alternative-to-quantum-weirdness-20181011/
Famous Experiment Dooms Alternative to Quantum Weirdness
Oil droplets guided by “pilot waves” have failed to reproduce the results of the quantum double-slit experiment, crushing a century-old dream that there exists a single, concrete reality.
https://arstechnica.com/science/2018/10/turbulence-the-oldest-unsolved-problem-in-physics/
Turbulence, the oldest unsolved problem in physics
The flow of water through a pipe is still in many ways an unsolved problem.
Some nearly 90 years later, the effort to understand and predict turbulence remains of immense practical importance. Turbulence factors into the design of much of our technology, from airplanes to pipelines, and it factors into predicting important natural phenomena such as the weather. But because our understanding of turbulence over time has stayed largely ad-hoc and limited, the development of technology that interacts significantly with fluid flows has long been forced to be conservative and incremental. If only we became masters of this ubiquitous phenomenon of nature, these technologies might be free to evolve in more imaginative directions.
https://www.wired.com/story/why-men-dont-believe-the-data-on-gender-bias-in-science/
Why Men Don’t Believe the Data on Gender Bias in Science
Why do men in science devalue such research and the data it produces? If anyone should be willing to accept what the peer-reviewed research consistently shows and use it to correct the underlying assumptions, it should be scientists.
But it is in large part because they are scientists that they do not want to believe these studies. Scientists are supposed to be objective, able to evaluate data and results without being swayed by emotions or biases. This is a fundamental tenet of science. What this extensive literature shows is, in fact, scientists are people, subject to the same cultural norms and beliefs as the rest of society. The systemic sexism and racism on display every day in this country also exist within the confines of science. Scientists are not as objective as they think they are. It is an extremely destabilizing realization for someone whose entire career has been rooted in the belief in human objectivity.
https://phys.org/news/2018-10-half-light-half-matter-particles-key-revolution.html
Scientists have discovered new particles that could lie at the heart of a future technological revolution based on photonic circuitry, leading to superfast, light-based computing.
Wael • October 13, 2018 4:37 PM
@Clive Robinson,
It’s an analysis of 21 recent “Control Flow Analysis” systems.
Good paper. Was only able to finish 4 or 5 pages — got bored after a while, but I think I’ll visit it again. Yes, some C-v-P concepts there.
CFI has received a lot of attention by the research community, but has not yet been widely adopted by industry.
Becuase the industry is full of self-certified experts, I tell ya! snort 🙂 It’s actually more dismal than that.
Memory errors are produced by memory unsafe languages, such as C and C++, which trade type safety and memory safety for performance.
Exclusively by unsafe languages?
By overwriting the return address, the attacker can change the control flow to any location during a function return.
Any function within the same address space, unless a HW bug in the MMU is also exploited.
stack canaries [7, 17] involve placing a canary value between the return address and the local function variables.
Canaries, again! Yaaawwwn.
This protection mechanism was circumvented by the invention of code reuse attacks (CRAs) […] An example of this is the return-to-libc attack […] Return oriented programming (ROP) […] Jump oriented programming
Yea, we’ve seen these a lot lately.
Therefore, a larger search space means more effective security.
Security through Expansion of the Search Space. Where have I seen this principle? Hmmm.
Clive Robinson • October 13, 2018 4:42 PM
Trump Signed Drone Killer legislation
Bubbling away in the background has been legislation that alows the Fedral and othet authorities to attack drones or shoot them down without legal oversight, or for that matter to give rrasons for their actions.
Whilst some may think this is a good idea due to the usual overkill “Health and Safety” FUD, it has significant “freedom” implications.
As has been pointed out but not miuch reported by MSM etc journalists use drones these days to gather information for stories including those of Goverment reprehensible if not illegal behaviours.
This legislation now alows those offenders to take control / crash / shoot down such drones. As we know the FBI amongst other federal agencies has been less than honest about their activities and have received sanction only aftet independent evidence has shown their reporting of events to be false. Thus removing yet another method of independent evidence gathering can be seen as actually a threat to both the citizens and functioning of civil society in the US.
Bong-Smoking Primitive Monkey-Brained Spook • October 13, 2018 4:43 PM
@Clive Robinson:
Well the House of Saud has it’s fingers in many pies. Not least of which is the US “Silicon Valley” companies, which the previous US administration held in high esteem
Everybody has their fingers in everybody else’s pies. The world will significantly change in about four years.
echo • October 13, 2018 4:44 PM
@JG4
I want to raise again the question of quasi-anonymously sharing information, say via photobucket, imgur, pastebin or similar vehicle. I’d like to have a more robust discussion of releasing designs into the wild, of which I have many. I am acutely sensitive to the fact that “helpful to human rights activists” means “useful to organized crime.” It may be helpful to consider whose crimes are the most organized on your planet.
Is this meme even true? It is known a robust civic society helps uphold good governance. It is also true that good governance and good community tend to remove the causes of crime and reject crime. It might be useful to see if there is a sociology or other relevant speciality study examining this. There must be something out there.
@Clive
I have noticed this too.
Clive Robinson • October 13, 2018 4:55 PM
@ Wael,
Security through Expansion of the Search Space. Where have I seen this principle? Hmmm.
Just let me think a moment,
In real life it would be called “authoritarian overreach” as we see with “collect it all”…
However yes, similar “over reach” is happening in hardware via the likes of Intel’s ME. Oh and of course every modern OS you find on consumer items has either “telemetry” or “ET phone home” to the Mothership in some authoritarian place.
Then there is the cloud and the likes of Palantir…
But I’m guessing that’s not quite what you mean 😉
Wael • October 13, 2018 5:12 PM
@Clive Robinson,
But I’m guessing that’s not quite what you mean 😉
It’s not what was on my mind but applicable. It’s the beauty of Security Principles that apply to all phases of product development: Inception, Architecture and Design, Implementation, and Operation. We discussed some of these aspects for quite some time. There is one thing I’d like to pick your brain on:
What’s the difference between Architecture and Design in a software development setting, with emphasis on “Security Aspects”? I have some opinions but don’t want to tell you what they are so I do’t taint your thinking. Give me something other than what’s published on the Web 😉
MarkH • October 13, 2018 5:17 PM
@Clive:
Thanks for the Bear SSL link, it’s a nice write-up. I wrote some bigint code back in the day, and learned many of the speed optimization techniques along the way — though the extremal-bits optimization to binary gcd was new to me.
It’s also interesting to me, reading about measures taken to ensure constant execution time, which wasn’t a concern for my application.
@echo:
I haven’t attempted to keep up with research in fluid dynamics, but it’s no big surprise that turbulence remains elusive.
In one of my previous lives, an application required the design of systems to release a fluid which is stored at high pressure as a liquid, and which boils into gas as it flows through the discharge system … imagine how chaotic that must be!
There was no hope of theoretical modeling, only rules of thumb and tables of empirical data.
Wael • October 13, 2018 5:21 PM
@Clive Robinson,
But I’m guessing that’s not quite what you mean 😉
Told you what I didn’t mean but forgot to tell you what I meant. Reduction of the attack surface by Expansion of the search space. There! I said a mouthful 🙂
Clive Robinson • October 13, 2018 5:22 PM
@ echo,
With regards the “pilot wave” mechanics. About five years ago Prof Ross J. Anderson of the Cambridge computer labs published a paper on the subject,
As you might know Ross is more normally associated with “Security Engineering”, and for a while “Security Economics”,
So yes there are crossovers for the curious mind.
echo • October 13, 2018 5:27 PM
In May, Matthew Hedges, 31, was seized at Dubai airport as he attempted to leave the country following a two-week research trip for his PhD. The Durham University student had travelled there to conduct fieldwork for his doctoral thesis on the impact of Emirati security and foreign policies following the 2011 Arab Spring – a subject that no doubt touched a nerve with the authorities.
[…]
But we should ask ourselves a serious question: Is this really the direction of travel in post-Brexit Britain, one in which our government cosies up to repressive regimes, whilst academics and human rights defenders languish in their prisons? Matthew Hedges must be released. But beyond this, the government needs to question the company it keeps and at the very least, acknowledge the destructive impact of basic human rights abuses in the UAE.
I have been personally warned by a UK establishment person that to know what you want, mention the law, and bring up the subject of your rights will gaurantee the door being slammed. It is hell on earth feeling trapped in a virtual prison let alone a real prison half way around the world.
Police watchdog ‘pressed paramedics to give inaccurate statements’ after student paralysed. Paramedics make claim at disciplinary hearing against four officers over incident left 20-year-old Julian Cole paralysed.
I have personal experience of rigged investigations being conduct behind my back only to read there was any investigation and an outcome in the newspapers. This is more evidence and much more graphic that deliberate corruption of investigations occurs.
echo • October 13, 2018 5:46 PM
@MarkH
In one of my previous lives, an application required the design of systems to release a fluid which is stored at high pressure as a liquid, and which boils into gas as it flows through the discharge system … imagine how chaotic that must be!
I didn’t know anything beyond the simple stuff until I read a very long article explaining how SpaceX modelled stuff in their engines.I recall mention of the doing some good optimisations and discovering a few good computational shortcuts or something which meant they could do more accurate and faster work. The article I quoted was new again to me. I’m glad I don’t have to do this stuff! I can’t begin to imagine how hairy your work must have been!
@Clive
As you might know Ross is more normally associated with “Security Engineering”, and for a while “Security Economics”,
So yes there are crossovers for the curious mind.
I would have and did completely miss this. The thought of crossovers was very much at the front of my mind which is partly why I didn’t comment much. I felt people were knowledgeable and smart enough to make their own crossovers. You never know when a thinking widget fills a blank in and inspires something somewhere else.
Thoth • October 13, 2018 6:25 PM
@Clive Robinson, those that helped on bitwise math
Thanks for all the help. Was working to implement Keccak-256 hash function on a smart card and it is finally done. Since Keccak hash is not supported on all smart cards on their crypto processing units and there are no such precedents on actually usable Keccak hash source codes for smart cards, I had to do the 64-bit rotl, add, flip and xor operations by implementing those with the help here.
Works wonderfully and now able to generate a 256 bit Keccak hash in 10 seconds with a 136 bytes input block.
Looking to push the Keccak hash library for JavaCard to Github soon once I cleaned it up for public release.
Clive Robinson • October 13, 2018 7:15 PM
@ Wael,
What’s the difference between Architecture and Design in a software development setting, with emphasis on “Security Aspects”?
It’s a good question, which has filled many a book to answer, all with different Points of View. Which is going to make answering it in a short comment interesting 😉
In the main the problem is because of the dual nature of the beast which has both style and substance, and moves from one to the other through many levels of the computing stack. With the addition of security a much larger range of the stack has to be considered, going well down into the physical layers and up beyond the user and even managment levels.
Part of the problem is the journey from 20,000ft view, through the 1000ft “green rush” down to the solidity of getting your feet on the ground in one piece.
At a sufficient distance it’s easy to see a difference between architecture and design, but as you get closer all of a sudden architecture starts becoming design but there is no clear dividing line just a “zone of change/morphing”.
Architecture is about the whole “functional system” and it’s place within other systems. Each system is built with more general use components that have been designed for a limited scope utilitarian function. Thus the process is from the abstract high levels of functional architecture down through the many levels to the concreate nuts and bolts components that have usually been designed without refrence to any architecture just specific well designed utilitarian function.
As I’ve mentioned on the odd occasion “Components have insufficient complexity to be secure”. That is security comes by bringing a certain minimum of utilitarian componets together in the correct functional architecture to get sufficient complexity to be secure.
Look at it this way a crypto algorithm offers no security what so ever, it has to be built into functioning code before it can do anything. After a design process you end up with a subroutine in your chosen language that takes two input sources and provides a single output. Thus the subroutine is a utilitarian component that can be reused over and over in many different systems in many different ways.
But it’s not secure in it’s own right, to see why consider the case of encryption. To encrypt the subroutine takes the plaintext and the keytext and outputs the ciphertext as designed. But as the subroutine runs in a process the three texts will share the same memory space thus it can not be regarded as secure. To start to get some measure of security you then have to design the process to seperate the three texts in some way where access to one text does not alow access to the other texts. Further you have to have the process run in an environment that segregates it from other processes and so on up the computing stack.
Which is a bottom up approach, which generally is a bad way to do things beyond the design of the basic utilitarian components.
But worse with security involved you will also have to consider the layers below the programing language in the computing stack such as how the memory is organised, lengths of times instructions take to execute, how memory segregation is organised, enforced and audited etc.
Which is why a better way is to do a high level requirments analysis, from which you derive a functional analysis, on which you then do a security analysis. You churn this around untill you end up with your 20,000ft view of what your architecture will be.
You then go through a process of designing a function dependent system framework in which you hang successively smaller frameworks in which you put the utilitarian component parts. Which should if you follow the rules all the way down give you an approximation of a secure system.
Wael • October 13, 2018 7:37 PM
@Clive Robinson,
That’s helpful. Suppose we use the analogy of a skyscraper or an entire city to be built. Assuming Architecture and Design are separate tasks, regardless of whether they’re done by the same person. What would fall under Design and what would fall under Architecture, keeping security in mind?
echo • October 13, 2018 7:40 PM
@Clive
Following on from your comments in the social-economic domain the lack of considering people’s social and economic security suggests Brexit as implemented isn’t an accident but design intent.
I have no idea what Prof Anderson may say or whether his experience in “security engineering” and “security economics” can add value to a discussion.
They have hardly made a secret of their ambitions to reverse protections for workers. “The weight of employment regulation is now backbreaking: the collective redundancies directive, the atypical workers directive, the working time directive and a thousand more,” said Johnson in 2014. Liam Fox told the Financial Times in 2012 it was “unsustainable to believe that workplace rights should remain untouchable”. Jacob Rees-Mogg said he could not “support all the employment rights that come from Europe”. David Davis, John Redwood and the older Brexit crew were against the social chapter from the moment of its inception. Meanwhile, Andrea Leadsom outbid them all when she dreamed of a future when there was “absolutely no regulation whatsoever – no minimum wage, no maternity or paternity rights, no unfair dismissal rights, no pension rights – for the smallest companies that are trying to get off the ground”.
Colin Mansell • October 13, 2018 8:00 PM
Great blog. Love your comments policy.
This is about snooping on us, and is therefore security related, but I wouldn’t mind betting it is also about commerce/behavior/garnering clicks.
I watched a video on Youtube from a hacker conference, quite possibly Defcon, before 2018, from someone who was concerned about the amount of data ‘they’ were collecting on mouse clicks and so on, from the packets and amount of data coming in and going out. Can anyone point me back in his direction? He was an oldish guy 50+, beard if I remember rightly.
On, I believe, a related point, what is going on with Firefox? Are all browser experiences the same now? When I go back to a tab/page after a minute or two, the data is no longer there and the internet has to go back to the cloud/server to start all over and bring the data from new from a blank screen.
Education of my ignorance appreciated.
Clive Robinson • October 13, 2018 8:23 PM
@ echo,
The encumbrant idiots mentioned are very selective in their remembering of history. Which is what you would expect for those who feel entitled by status.
Whilst they might think they are secure in their places, history shows us that when pushed collective action by the rest of society can have only one of two conclusions. The self appointed elites back down or they are made ineffective in some way, often by violence of some form.
Civil unrest is undesirable but usually that is what ends up happening. First the self appointed call upon their guard labour that basically resorts to the worst of human depravity, at which point the tide turns and the guard labour flees the self appointed. It’s then often a question of how well the self appointed have planned, some will get away unscathed whilst others will be removed from society by society…
I’m guessing that the idiots are assuming that either their backers or technology will keep them in positions of power or atleast protected from the vengful. History shows that such assumptions have a habit of being wrong.
The real problem is the backers, who have planned, thus have made safe havens for themselves where anonymity is virtually assured. Where they wait for things to blow over before returning to start the cycle again…
I gather there is a fair amount of Mansion Building going on in New Zealand with underground bunkers with 60 months or more supplies… Which sounds to me like some of the backers are already preparing for “The blood of patriots and tyrants…” to flow.
Little Lamb • October 13, 2018 8:25 PM
the amount of data ‘they’ were collecting on mouse clicks … He was an oldish guy 50+, beard if I remember rightly.
A mad scientist was performing cruel and unusual experiments on captive mice. The psychiatrist next door was muttering something about bestiality or murine-human intercourse, but they didn’t want to add it to the DSM-V because they thought it might give people ideas.
Wael • October 13, 2018 11:47 PM
—–BEGIN PUBLIC KEY—–
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BNhf0wjCMckfCF4leiH
8EnmtNQZ1ZhEXZicDjXhBmLQDaSLEtQhJTMbFkDd4CLfYLgO3mkp4dQVK/pG9FWn
75XO7bpApzcWKmQjJn+EwemIYC5Nc76WkrCQ4FVm5w0ys/sPtJqxGt75yM78ysCM
K2R3Xf5UzHefaNlbUbndvtXFTwy3chRsx/TSyZCXuCRFhybFIQcdE4Es+yRthm8w
U4znkmhiEFjwuW9wMyPhEyHelE6qYWiiR2VCC3xxiLaOH3mXINhjpKXXmbTnfrdB
3L0P4s/YV7BgP7kDKXIRaxTsAL+gqMrwtXYDm18vuHCA2ySNQPItjJaN0pf/6KBC
qyuL1NDlB13tBr9kZhx9OjYo22HG2nffBci9EnfE4i3zsnu+HJoTq7YSpnh4mhpo
pzNpCujV57PgbFMvJpquhghMH1Nr8mGAmgXSYPEO7dCoM0TG2HDqJhj2kZIwbZ9w
x3UsPSo38RVBUkm15e2qgoCEEEHwkl3yVUQ/YlU3I36Crbu53oSi7/nMuPIefBYW
UpaqaBSy4PAZUy6sqopErIjO5hp/rZDojvF1m82aR02wJkjyK5LHCV7RmfpiG4Ag
akOYQV6J+aT2aQ7HV4VAARz8PzEuNo7jDK84Y3YqD7GUv9Ir/KkVHB79APuq0PVH
wt97MGIKxSwTL7CV1BvGKTsCAwEAAQ==
—–END PUBLIC KEY—–
Wael • October 13, 2018 11:52 PM
The above is just a test public signature for a POC. Once done, I’ll delete the private key. Please do not use this to send me encrypted information — I’ll ignore it. Besides, this will be used only for signature verification, you know: a ‘Separation of duties’ thing…
Wael • October 13, 2018 11:57 PM
test public signature
Public key! Little wonder things aren’t working 🙂
Erik R • October 14, 2018 1:00 AM
Before the EU content filter requirements goes live; Bruce and the new book are mentioned on Swedish public radio. Link to the program, all in Swedish though:
https://sverigesradio.se/sida/avsnitt/1161066?programid=516
The program is not tech related but rather a relaxed and humorous talk show with thoughts about the future. The book virtually opens and drive the idea of increased analogue ways of doing things that wont kill you if clicked.
MarkH • October 14, 2018 1:53 AM
@echo:
I wasn’t involved in the boiling flow analysis; some colleagues who worked at the “hairy end” were kind enough to explain to me some of the challenges.
My little exposure to turbulence from an engineering perspective comes from looking through some elementary texts in aerodynamics. They give a pretty good idea of where you can expect to see turbulence, but don’t attempt to quantify it.
On an airplane wing, smooth (parallel) airflow stays close to the wing surface for a surprisingly short length after the leading edge (nose). Behind this threshold, the smooth flow angles away from the wing surface, and the “wedge” in between is considered to be full of turbulence … but nothing analytic, more like “here there be dragons.”
Timothy • October 14, 2018 5:53 AM
A former Apple product engineer writes about circuit boards and whether a Supermicro server board implant was possible. The short answer is yes. She discusses the risks of under-resourced teams, “customer-facing drawings” vs “factory drawings,” counterfeit parts, and building digital transparency and traceability in the supply chain. She says that although the technology exists to assess a product’s integrity, particularly for high sensitivity electronics, it is not yet considered a standard across the industry.
Clive Robinson • October 14, 2018 6:18 AM
@ Timothy, ALL
You might also like,
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
As I’ve said I have my suspicions about Bloomberg, thus I have my doubts.
However it is entirely possible to do (the NSA&GCHQ do it).
The real problem is “hard proof”, people are claiming “no photo no story” without realy thinking things through.
They are under the impression an attacker needs to attack all the motherboards on a server farm etc.
The reality is they don’t, the motherboards used in server farms have the BMC with it’s own network. This network usually connects many motherboards together for ease of administration. In the slightly more secure setups this BMC network is “air gapped” from other networks so geting in from outside or getting data from outside should “in theory” be impossible.
Which is fine as far as normal attacks go. However a single hardware implant motherboard on this BMC network is in effect an “insider attack” and thus just one implant can infect all the other motherboards in the server farm…
As actually finding an implant would require “destructive testing” that is inordinately expensive, economically you would not do it, but either junk the boards or use them in non critical areas.
It’s a point most are currently ignoring in their mental model.
Tatütata • October 14, 2018 8:25 AM
Re: alleged public key
I first read “POC” as synonymous with “POS”, but as my cerebral porridge eventually coalesced, I realized it must have meant “Proof Of Concept”.
Out of curiosity, I tried importing that text into Kleopatra. Result: a very user friendly “BER error”, which I then Γκοογλε’d to try to understand what it was supposed to mean in plain Volapük, but landed only on cryptic bug reports and “computer service” scamware bait. Then tried the same with command-line gpg, with no better results. After cussing a little bit, I then realized it’s a beautiful Sunday out there, and that there are much better things to do, in which I will now engage.
Was this an experiment of sorts, with the readers starring as the mice in the maze?
Or an attempt to demonstrate the difficulty of using classical crypto tools, if this was ever necessary?
Ergo Sum • October 14, 2018 8:58 AM
@ Clive…
As I’ve said I have my suspicions about Bloomberg, thus I have my doubts.
However it is entirely possible to do (the NSA&GCHQ do it).
That’s somewhat contradicting statements and begs the question. Why other state actor(s) wouldn’t be able to do the same? Especially, when that other state actor has the factory within in its control that manufactures the product in question?
Which is fine as far as normal attacks go. However a single hardware implant motherboard on this BMC network is in effect an “insider attack” and thus just one implant can infect all the other motherboards in the server farm…
I don’t disagree, but…
Wouldn’t the “insider attack” generate lot of noise on the preferably isolated BMC network? Presumably, it depends on the size of the BMC network and monitoring for unusual network traffic, but still.
Clive Robinson • October 14, 2018 9:22 AM
@ Tatütata,
Out of curiosity, I tried…
I suspect –but am to lazy to try– that it is a scheme of crypto+stego thought up by @Wael and @Ratio.
Where they use “non printing” characters in which ever UTF coding they are using to represent “bits” or other data size. Hence the reason it will show up in “vi” but not most text editors.
If I remember correctly the original idea was a way for a poster to sign their post without having a very anoying visual inclusion at the end, messing it up for readers.
You can see –or not ;-)– a little more over at,
https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6768403
Though it looks like @Wael blaims me =8( for the start of it a month or two before that…
CallMeLateForSupper • October 14, 2018 9:49 AM
“[…] what is going on with Firefox? […] When I go back to a tab/page after a minute or two, the data is no longer there […]”
I have experienced some weird Firefox behavior over the years, but not what you describe. Lovely. Congratulations. 🙂 By the way, what OS do you use?
I run Ubuntu Linux. One of the most persistent (going on three years now) weirdness-es here is a (sound) Volume slider appearing at upper right of window – only when FF is active – and vanishing after 3-5 seconds. Typically I am just reading when this happens.
Adding to the weirdness, the pop-up Volume slider looks nothing like Ubuntu’s Volume slider, and I have no idea what it “belongs to”.
Wael • October 14, 2018 9:57 AM
@Tatütata, @Clive Robison,
Re: alleged public key
Legitimate 4k Pub Key. Was working on the script last night but got distracted with other tasks and I also encountered some minor challenges, but learned a few things that’ll share once I sign a message and post the verification script. No need to import the Pub Key into Kleopatra — it might bite you in the chest 😉
[…] blaims me =8( for the start of it a month or two before that…
I blame no one; I only keep score. The price you pay is a question that I’ll ask you soon.
Timothy • October 14, 2018 11:38 AM
@ Clive
Thank you for sharing the article. I have read it, and will probably have to read it a couple more times to understand the many potential vectors of vulnerability. To the final thought from Dr. Markettos’ article:
“But it is likely news to many people that their systems are a lot more complex than they thought, and in that complexity can lurk surprising vulnerabilities.”
… What are your thoughts on the printed circuit board vulnerabilities as presented by the DoD-led Interagency report?
Here is a small bit of background: The report – fulfilling EO 13806 – discusses 16 sectors that are relevant to the defense industrial base and its supply chain; this review is listed in Appendix Two. The 16 sectors are grouped under two categories: Traditional Defense Sectors and Cross-Cutting Sectors. Both ‘Cybersecurity for Manufacturing’ and ‘Electronics’ are listed under the cross-cutting sector. Each sector has a dedicated working group that provides a risk analysis on the sector’s ability to support national security.
The Electronics Sector lists the specific topic of ‘Printed Circuit Board Manufacturing.’
What I found surprising was that, reportedly, the US only accounts for 5% of the global manufacturing of printed circuit boards. While 90% come from Asia, with over half of that coming from China.
The report advises that the DoD risks losing visibility of the ‘manufacturing provenance of its products’ and that many offshore facilities do not meet or comply with DoD quality requirements.
Further “The DoD Executive Agent for Printed Circuit Board Technology has provided technical assistance activities with domestic manufacturers and observed awareness gaps among manufacturers related to International Traffic in Arms and other Export Control regulations.”
A different section of the report discusses the effects of unlawful or unfair foreign trade practices that are contributing to the shuttering of U.S. factories.
I am, as with Dr Markettos’ article, still trying to unpack the details and implications. Again, thank you for your response, and your thoughts, and for sharing an enlightening and expert article with us all.
Clive Robinson • October 14, 2018 12:24 PM
@ Ergo Sum,
That’s somewhat contradicting statements and begs the question.
I look on Bloomberg with a degree of suspicion, their main line of business is not as journalists and they have been known to behave more than somewhat unprofessionaly. In essence using the Bloomberg terminal to spy on traders and use it not just for news but “market shifting” news.
Further one of their supposed anonymous sources for the first article has come forward and said they have been not just incorectly quoted but in effect used to fabricate the story. With their second article the named technical source has again come forward making similar complaint.
Some of the times that Bloomberg say events have happened can be shown to have been events of an entirely different nature, that have been previously reported by others. Thus it looks like a lack of research or an overly massive conspiracy theory. Either way Bloomberg has not come up with any testable evidence and much of what they have said has been shown to be incorrect.
Other people that have knowledge of how to do implants have come forward expressing at a minimum supprise and some doubts about the Bloomberg story. So the upshot is “Yes we know how to do implants and can tell you how to do them, but we are suspicious of Bloomberg’s stories”.
Which is why some have been saying that Bloomberg appear to have an agender that is not news as news, but more as market manipulation. In fact enough noise that I suspect SEC or other federal authorities are likely to be looking into it and trades placed leading upto the publication that caused half the value of a large corporate to be erased and a large fraction of the largest US tech company to be devalued.
With regards,
Wouldn’t the “insider attack” generate lot of noise on the preferably isolated BMC network?
It depends what it is doing. There is a fair amount of noise due to discovery and other legitimate BMC activities so the BMC network is not quiet. As I indicated I would already have put certain types of bug in the BMC source[1] which is apparently on these boards a variation of Linux[2] thus easier than many might think.
Which means that the traffic across the BNC network might just be a packet to “flip a status value” or equivalent.
People tend to forget that network stacks are promiscuous by design at the lower levels and making them much more promiscuous is a matter of changing status values. Back in the days of hubs that would have ment a single network packet would have been received on every machine on the network.
But there is another issue that few think of which is time based side channels. You can modulate legitimate traffic to carry illegitimate traffic in a form of “Pulse Position Modulation”. Which has been used in the past due to the transparancy of “efficient” hardware to get “keyboard logging” information out onto the local network and beyond.
It would be a matter of simplicity to combine such pulse position modulated data with expected “discovery” traffic etc.
Basically you are in effect just picking already known covert techniques and putting them together in ways few others would realise.
But my main point is although we can do this, and bits already have been so code exists etc, we don’t yet have evidence it’s been done by China, even though it has by the US and UK.
And in the case of Yossi Applebaum his concern which I share is that we “don’t throw the baby out with the bath water” by appearing to be “crying wolf”. That is supply chain attacks are real they have happened and atleast one with ePOS card readers originated in China. Thus what we don’t want is people making events up that then get shown to be false in some way that then makes the majority of people think everything about the story is “fake news”[3].
The fact some people are already talking that way, makes others think it’s a “disinformation campaign” which only goes to show what happens in an information vacuum…
[1] Again this type of “insider attack” especially in what is in effect “open source with mods” has been long suspected of the likes of the NSA and GCHQ and indirectly confirmed in more recent times. It’s inpart “finessing” inpart suborning or placing development staff.
[2] The reality is that with Linux running in BMC’s and Minux running in Intel’s ME Microsoft OS’s are actually the minority OS…
[3] As has been observed “The price of freedom is eternal vigilance” and we don’t want people “sleeping on the job” and waking in a nightmare.
Clive Robinson • October 14, 2018 12:36 PM
@ Wael,
things that’ll share
I’m guessing your harsh mistress is having her way with you again?
As you are having the wrong contractions :-S
Oh and the bad “bite in the asp” joke yes I caught it, though I’m not sure who else did 😉
Wael • October 14, 2018 2:42 PM
@Clive Robinson,
That Message signing thing turned out to be a real …
Stay tuned. I’ll be back.
Clive Robinson • October 14, 2018 3:03 PM
@ Timothy,
What are your thoughts on the printed circuit board vulnerabilities as presented by the DoD-led Interagency report?
My first thought is “they are over egging the pudding of doom” and “for the wrong reasons”.
To see why they claim the US had a 10billion market in 2000 but only a 3billion market in 2015, but forgot to mention that the world wide market in dollars shrank quite a bit even though the number of PCBs made world wide went up.
Thus the most likely cause is “economic disincentive” due to other factors such as two world banking crisis and a massive layoff of blue collar workers in the US.
This would have been exacerbated by the “make old do” problem that you see over and over in industry since the 1960’s. When a market opens those first in make a very large capital investment on what would be not very good equipment. As the market advances the equipment becomes considerably better and a lot cheaper. However those who were first have such high sunk costs they have to “make old do” which usually makes their running costs higher as well which makes them further uncompetative. A “tail spin spiral of doom” usually follows. Have a look at British Industry during the 1970’s-1990’s especially heavy industry.
There is contrary to what the report implies nothing illegal in these effects. The problem is two fold,
1, Share Holders prevent businesses reinvesting sufficiently.
2, The government insists on to long a period of time over which equipment gets written off.
But in the case of PCBs and other similar engineering, the early machines were heavily manual in comparison to modern machines. And this had three other effects,
3, High labour costs.
4, Poor or variable output quality.
5, Poor optimisation of materials and work flow.
The last of these can more than double your unit costs. When I was a young engineer doing my own development I did not buy PCB material. Because there was a PCB manufacturers (Classical Circuits) a few miles away on my way home that chucked out so much scrap I could take it from their bins by the tens of kilogram when ever I needed it. They were quite happy to let me as they had to pay by the Kg to have their scrap taken away and they often put choice off cuts aside for me, just for a chat and a drink round the corner.
But with manual systems quality is generaly based on worker experience, and workers with experience expected high wages for their skills as any craftsman would. CNC and similar reduced the level of skill required in workers down to very very low levels as well as reducing staff dramatically. In some companies that resulted in there being many times the number of shop floor workers in the sales, admin and managment side, it was not sustainable. Modern PCB companies have very few staff, atleast one in the Far East I know of employes more cleaners (4) than it does managers and the IT staff(7) outnumber the sales staff(5). Outside of the owner the highest paid member of staff is one of the IT guys who writes their factory control software, and the next highest paid develops their “web presence”. Twenty years ago I used to work with the owner in the engineering dept of a FMCE Telecoms company, he tells me that business is getting bad, not because of lack of work but competition from larger companies with effectively less workers per unit of productivity and other services such as component loading and test.
Yes there are US fast prototype companies but aside from being US they don’t offer much over those you will find in Alibaba etc. I don’t bother looking at them because their shipping costs are absolutly ridiculous to the UK. As for the UK well lets just say that having looked into some they are effectively “shop fronts” or agents for Chinese companies trying to work margins.
You also have to look at it another way. I can try and source PCB material in the UK from the likes of DigiKey, Mouser, RS, Farnell etc for doing single sided or double sided prototypes. They are going to be the wrong size wrong base material and thickness and take upto a week to arive, hence have high material and time wastage. But I then have to add the costs of etching or CNCing them which is comparitively quite high. However I can email the gerbers and have a choice of delivery times from the Far East and get ten boards with plated through holes for less cost/time than I can getting the stock in and making them myself. More importantly the more esoteric RF materials such as RT Duroid, Arlon and ceramics are not a problem, nor is gold or silver plating in whole or part. So why should I even open the DigiKey etc catalog?
Whilst I can understand some of the DoD’s issues including that of security it’s the elected members of the US Government who effectively killed their own defence industry by various COST initiatives. Because the specials the DoD needs were effectively subsidized by the US electronics industry in general. The industry died because of political influance and now “the chickens are comming home to roost”.
If you want a vibrant and successfull manufacturing industry you need fertile ground for it Off-Shoring, Out-Sourcing, Business Process Reengineering and many more idiot ideas have killed it via quick-buck expecting Share-Holders. If you want to grow a company the last thing you need to be doing is throwing money away at share holders and the Rrvenue service. You will note that the more successfull companies are now effectively fully off shore to avoid the later. The side effect of this is that they can not brink the money back on shore to invest in the US… In the near future many of these corporates will work out how to get rid of their public share holders at which point their use to the US will be at best detrimental through lobbying…
No matter how Pres Trump may want to change things for what he sees as the better, he will not be alowed to by those politicians around him. They will only alow what they can profit by.
As with any war there are combatants and profiteers, it’s no different with a trade war. You can bet your last copper penny that people are making big bucks out of the China-US trade war. At the end of the day as with other wars China will win or draw. The best the US can hope for is a draw, but more likely they will loose big longterm. The only rrason China is playing along currently is the amount it has invested in the US “to keep the peace”. If push comes to shove China will take the hit as it can absorbe it better than the US can. Because the US is very fragile and in quite bad shape in many ways including in raw resources. The US has been extreamly profligate with it’s resources and thus has to import much of what it needs. China on the otherhand has not been profligate. Much of the US defence and high tech industries are very to critically reliant on raw resources that China has an effective monopoly on currently. They have been using them to effectively force US manufacturing into China, where the IP has been appropriated. This was clear back in the 1990’s and the US could have stopped it then, but political interests effectively stopped any action for the sake of “short-termism” and corporate lobyists. Now it’s probably to late to do it relatively painlessly…
echo • October 14, 2018 3:25 PM
I am beginning to wonder if this whole spying game shouldn’t be subject to a supra national court. My reasoning being that if good governess and good civic society and equity between nations means something then apart from wars of agression which are themselves unlawul spying is irrelevant and serves no purpose. I accept this position is far short of perfect and contains many flaws but believe the question should be asked.
We have a lot of good models for what should be done but politics or more specifically some politicians often get in the way.
@Clive
It would be an extremely low bit rate but what about systems that hide encoded messages in standard text with no stenographic techniques? I know there are techniques but wondered if they could be applied in an automated and none detectable way. Of course, traffic analysis techniques can reveal schmes as we know but I wondered how far things could be pushed and how long detection could be evaded. Can a technique be hardened to withstand full data capture and historical analysis?
One thing I ahve noticed which is more a problem with psychology than anything else is common phrases tend to lose their power in the same way that people become blind to information hiding behind statistical averages. Like all things they are open to use one way or the other way. Reflecting on the destabilising and dangerous garbage produced by the intellectual alt-right they seem very driven by psychology and marketing.
@MarkH
It’s fascinating hearing this whatever level you worked at. People aren’t always valued for a lot of reasons but I have in my notes/databse somewhere a study which suggests that a psychological lift given in the right way not only makes you feel better and less psychologically conflicted but also becomes a self fulfilling prophecy which enhances success with life opportunities. You will have to excuse me not citing the exact study. It’s a topic area which in discussion can become problematic due to perceptions.
Timothy • October 14, 2018 4:30 PM
@ Clive
The US has been extreamly profligate with it’s resources and thus has to import much of what it needs. China on the otherhand has not been profligate. Much of the US defence and high tech industries are very to critically reliant on raw resources that China has an effective monopoly on currently. They have been using them to effectively force US manufacturing into China, where the IP has been appropriated. This was clear back in the 1990’s and the US could have stopped it then, but political interests effectively stopped any action for the sake of “short-termism” and corporate lobyists. Now it’s probably to late to do it relatively painlessly…
I concur.
The report “Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology” – sorry for the mouthful – provides a visual (Exhibit 1) as to the level of ‘China Supply for Seven Leading Federal IT Providers, 2012–2017.’
It’s a lot.
Thankfully, I guess, both the above report and the DoD-led Interagency report provide recommendations for cultivating a secure and resilient supply chain. Hopefully less pain now than later.
Clive Robinson • October 14, 2018 5:57 PM
@ echo,
It would be an extremely low bit rate but what about systems that hide encoded messages in standard text with no stenographic techniques?
No stego would imply ciphers not even codes…
Whilst “phrase” codes can be made to look like natural language in small numbers of codings per communication, they quickly become to random to maintain the pretence with more than three or four codes per communication. Whilst humans can generaly spot them due to their odd or stylised form computers and AI are still on the threshold of being usefull.
Thus can you hide “ciphers” the answer is yes if you somehow modulate them on ordinary text messages. As I’ve mentioned before HTML tags have quite a degree of redundancy in the order you use them. Take for instance the “UN” tag and the “I” tag. If you use both around a sentence there are four ways you can arange them,
[UL][I]abcdefg[/UL][/I]
[UL][I]abcdefg[/I][/UL]
[I][UL]abcdefg[/UL][/I]
[I][UL]abcdefg[/I][/UL]
The text would in all cases be rendered identically but the tags in effect send two bits of information you can do similar with the many redundant UTF encodings.
The point being, anywhere there is redundancy you can modulate it with information.
You can certainly do these automatically but like many things the more you do it the more noticable it becomes.
With regards,
Of course, traffic analysis techniques can reveal schmes as we know but I wondered how far things could be pushed and how long detection could be evaded.
As I’ve mentioned, on a local area network all hosts can hear a single packet. That is some packets get “broadcast” rather than sent “point to point” similar is true of network packets sent across the Internet, in that every node they go through sees not just the packet but the time it was sent via time stamps. Such information has been used in the past to communicate information to a close node even though a host could be talking to several different remote hosts.
So yes there are ways that things can be done by abusing various routing protocols etc.
With regards,
Can a technique be hardened to withstand full data capture and historical analysis?
No and depends what you mean.
Anything you transmit can be recorded by a third party for part or all of the time. It is upto the third party what and to what accuracy they record your transmissions.
The less accurately they record the more information they lose. It’s been said the NSA record times down to the nano second which is the length of time it takes light to travel just over a foot.
The question is can you somehow “cheat” this, to which the answer is probably yes. It all depends on how the NSA records what you send.
Look at it this way, do they store the time for every bit sent? Unlikely, can you vary the width of a bit by a small amount such that the accumalitive time for a network packet could be used as a signalling mechanism between two nodes. The answer is yes under certain circumstances but by no means all. But these considerations are more in the realm of theoretical rather than practical.
The main reason the NSA started using such high precision time is not to do with time but order. Look at it this way in an ordinary conversation how many different people could speak in a minute? If you only recorded time to the minute, then who said what can be put in a database easily, but in what order people said it becomes ambiguous. The finer the granularity of time you use the less of a problem order becomes when using a database or other nonsequential storage.
Thus you might use some time delay code to modulate sectet information on otherwise benign traffic. The “fingerprint” of it might well be in the database, but unless someone goes looking for that fingerprint it in effect remains hidden.
If they do go looking then the question falls to what is random noise and what is signal and how do you tell. Simplistically the closer the signal is to random noise the less chance it has of being recognised as a signal. And if it is not recognised as a signal then there is no history to be analysed.
We know from stream ciphers that inteligable information can be made to look as close to random as to not be differentiable. The usual example used is the One Time Pad, where in theory you can not tell the difference between random and information.
In radio communications there is a form of modulation called “Direct Sequence Spread Spectrum” (DSSS) it is generated in exactly the same way as a stream cipher is. Which is why DSSS is used in “Low Probability of Intercept” (LPI) covert radio systems. What works in the Frequency Domain also must work in it’s inverse the Time Domain. Thus you can add jitter to the times you send network packets that to a third party can not be distinguished from random. However the second party knowing the key stream can decode the jitter and recover the information.
There is a lot more on the subject including “jamming immunity” which in network time might be caused innocently by other traffic, or deliberate by the third party. But hopefully it gives you an idea of what can be achieved by those with sufficient intent to covertly send information.
Oh even though all this information can be found in stanfard graduate level text books it’s usually broken up into entirely unconnected subjects. And you are not supposed to be bright enough to put it all together…
Which obviously is the way some people want it to be especially in the US where some of it is still supposedly clasified… Yes it’s security by obscurity but from their point of view the less we know or are alowed to know the less tricks we can pull on them so the easier their jobs are (all very “medieval popish plot”).
My view point is they should stop shining the seats of their pants on comfy chairs and actually earn those big fat appropriations of money they get from the poor benighted tax paying citizens 😉
Tatütata • October 14, 2018 9:59 PM
… Legitimate 4k Pub Key.
I ran the text through a base64 decoder and examined the result. It does seem to be a very basic key consisting of a modulus and an exponent, but nothing beyond that. It did make me learn a couple of new things about key formats.
No need to import the Pub Key into Kleopatra — it might bite you in the chest 😉
Sounds ominous, is that a warning or a threat? 🙂 Images of the original “Alien” flashed through my head, I only ever saw that flick once, and that’s quite enough.
I looked at the link provided by Clive, and began looking at the source of the HTML and noticed a bunch of ampersand-coded characters. Without looking at the rest of the thread I tried to make sense out of it, which I managed. I then began reading the rest, and found myself racing with the progressively more detailed disclosure over the last two years, which apparently culminated last week. I somehow missed all of that.
OK, so there is this 176 byte (=1408 bit block, or 11 blocks of 128 bits) which is apparently encrypted by a key somehow derived from the pattern abab -> 1010 repeated 5 times.
I got as far as to try to create a key out of the poem’s scheme, but the online decoder didn’t work. I somehow felt like I was in a certain novel by Italo Calvino, hopping between windows of different time, style and location.
Alas, I just found out that the solution was disclosed last week, so I’ll stop here. This is what I can show for, a bit of Octave code which I commented as I went along:
clear;
close all;
load zjn;
zjn=~zjn;
a=(reshape(zjn,8,length(zjn)/8)’);
w=(2.^[7:-1:0])’;
b=char((a)*w)’;
disp(b);
unix([‘echo ‘ b ‘ | base64 -d >decoded.txt’])
f=fopen(‘decoded.txt’,’r’);
c=fread(f,Inf,’uint8′);
fclose(f);
#
JG4 • October 14, 2018 10:10 PM
Thanks for the continued helpful discussion.
@echo – I think that Clive regularly points out that tools are agnostic to use. It would be difficult to think of a tool that wouldn’t be useful in some way for carrying out the functions of government and also for carrying out the functions of organized crime. Secure communication tools are a nearly perfect example, and also quite useful to human rights organizations, who essentially want to act against the interests of governments and organized crime in trampling human rights.
This old comment overlaps the topic of flow control pretty cleanly.
https://www.schneier.com/blog/archives/2015/08/friday_squid_bl_1.html#c6704388
…
any sequence of instructions can be treated as a trajectory in an arbitrary dimensionality n-space.
…
The trajectories can be thought of as fingerprints, in that bad trajectories (unwanted code/undocumented features) are different from the desired system operation.
…
The usual daily compendium. I included a few that require a broader than usual view of security.
https://www.nakedcapitalism.com/2018/10/links-10-14-18.html
…
Why Catastrophic Climate Change is Probably Inevitable Now umair haque, Eudaimonia and Co. (GF) Well worth a read.
…
Trump Administration Urges Saudis To Stick To Killing Random Yemeni Civilians The Onion
…
Why it’s totally unsurprising that Amazon’s recruitment AI was biased against women Business Insider
ICANN’s internet DNS security upgrade apparently goes off without a glitch Network World
…
Some plants nurture soil bacteria that keep them healthy The Economist and Underwear Measures Soil Microbial Activity AgPro
Wael • October 14, 2018 10:11 PM
@Tatütata,
I’ll share the scripts so that you can verify (and sign) messages. It uses openssl, out of all things, but it’s just a POC like I said. So don’t worry about “deciphering it” now.
Sounds ominous, is that a warning or a threat?
Neither! Just a caution. Check Kleopatra and the snake; a Serpent — another crypto thing 😉
Wael • October 14, 2018 10:18 PM
@Tatütata,
The rhyme scheme is (abab) repeated 5 times
No! The rhyme scheme is AABBA for limericks! AABBA was they AES key you needed to put for a secret at https://aesencryption.net/ — It does not work now, so I switched to openssl. I was too lazy then but realized one can’t depend on external sites… Same for quite a few links I previously embedded here, they aren’t working any longer.
I can explain the previous poem later, after I share these signature scripts.
Weather • October 14, 2018 10:33 PM
Wael
Wasn’t directed at you, I’m more worried about
Weather • October 14, 2018 10:36 PM
/
Weather • October 14, 2018 10:40 PM
div /<
Wael • October 14, 2018 10:46 PM
These are the scripts you need for ???? verification. There was a small mistake I made when I appended the signature to the message body — I ate a couple of line-feeds, that’s why the “get message” script has the last line.
#Obtain Public Key
<b>Obtain Public Key</b>
curl -s https://www.schneier.com/blog/archives/2018/10/friday_squid_bl_646.html#c6783413 \
| awk ‘/c6783413/{flag=1;next}/class=”comment by/{flag=0}flag’ \
| tail -n +4 \
| sed ‘s/<br \/>//g; s/<p>//g; s/<\/p>//g; $ d’ \
| head -14 > pub.sig
#Get Message Body
curl -s https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6783451 \
| awk ‘/c6783451/{flag=1;next}/class=”comment by/{flag=0}flag’ \
| tail -n +4 \
| sed ‘s/<br \/>//g; s/<p>//g; s/<\/p>//g; $ d’ \
| head -36 > message-body.txt \
; echo -n -e ‘\x0a\x0a’ >> message-body.txt # Fix my mistake
I’ll follow with some scripts that help compose the signature…
#Get Message Signature
export SCANNED=$(curl -s https://www.schneier.com/blog/archives/2018/01/fingerprinting_6.html#c6783451 | awk ‘/c6783451/{flag=1;next}/class=”comment by/{flag=0}flag’ | awk -v RS=’&[j,n,w,z]+;’ ‘RT{gsub(//,””,RT);printf RT}’ | sed ‘s/‌/1/g; s/‍/0/g’ | sed ‘s/.{8}/& /g’ | tr -d ‘ ‘); printf $(echo “obase=16;ibase=2;$SCANNED” | BC_LINE_LENGTH=2000 bc | sed ‘s/../\x&/g’) > message.sig
#Verify Message
openssl base64 -d -in message.sig -out /tmp/sign.sha256
openssl dgst -sha256 -verify pub.sig -signature /tmp/sign.sha256 message-body.txt
Wael • October 14, 2018 10:58 PM
Forgot to say the signature is only performed on the body of the message. No sender, no time, no nonces, no comment number! Didn’t have time for that, and @Ratio will tell you RegEx isn’t my cup of tea. So don’t flame me — it’s just a POC.
It’s not easy to predict the comment number, and one can’t reserve a comment number to include in the signature. Also, I could have included the time, but that requires precise submission time-control, which I do have (better than @Ratio, by the way, whose atomic clock is out of sync by a minute or so.)
Wael • October 14, 2018 11:04 PM
How I composed it:
#!/bin/bash
echo “Usage: preview_signature input_file passphrase”
echo $1 # Did not have time to put command line parsing
echo $2
openssl dgst -sha256 -sign ../../keys/private.pem -out /tmp/sign.sha256 test_message
openssl base64 -in /tmp/sign.sha256 -out /tmp/post_signature
cat /tmp/post_signature | perl -pe ‘$_=unpack”B*”‘ | sed ‘s/.{8}/& /g’ > /tmp/base64_to_Binary
cat /tmp/base64_to_Binary | tr -d ‘ ‘ > /tmp/stripped_base64_to_binary
perl -pe ‘s/0//g;s/1//g’ /tmp/stripped_base64_to_binary > /tmp/embedded_signature
perl -pe ‘s//0/g;s//1/g’ /tmp/embedded_signature > /tmp/reconstructed_binary
diff /tmp/stripped_base64_to_binary /tmp/reconstructed_binary
cat /tmp/reconstructed_binary | sed ‘s/.{8}/& /g’ | perl -lape ‘$_=pack”(B8)*”,@F’ | head -11 > /tmp/reconstructed_signature
diff /tmp/reconstructed_signature /tmp/post_signature
Once you compose the signature in ‘invisible characters format’, append it to the real message and post it. Make sure you don’t overwrite the line-feeds like I did.
Weather • October 14, 2018 11:10 PM
head -36 > message-body.txt \
; echo -n -e ‘\x0a\x0a’ >> message-body.txt # Fix my mistake
\0x0a\0x0d
Wael • October 14, 2018 11:16 PM
@Weather,
Wasn’t directed at you, I’m more worried about
Come on, you can do it! Tell me, tell me! Umm, Angle brackets messing your posts up? Use this: https://www.schneier.com/blog/archives/2018/10/friday_squid_bl_646.html#c6783464
Wael • October 14, 2018 11:26 PM
Correction… (and I was telling @Weather to read the codes… go figure!)
perl -pe ‘s/0/‍/g;s/1/‌/g’ /tmp/stripped_base64_to_binary > /tmp/embedded_signature
Wael • October 15, 2018 12:03 AM
@Tatütata,
I somehow missed all of that.
Very good effort, by the way! There’ll be other opportunities, I think 🙂
Epiloge:
Assuming I did nothing stoopid, as I am seeing double right now (19 sec video clip https://youtu.be/_u5A0H6PkqE ….) and the signature verification really works: In this exercise, there was a concept, a design, an architecture and an implementation.
Concept
I say there is a security flaw in the concept, for the following reasons:
1- The blog does not support signatures
2- Many come here over Tor (they think it protects them – lol)
3- Who wants to trade off Reputation for less Impersonation? One would give up plausible deniability to reduce the chances of impersonation — not a good trade-off!
Design
Hmmm. Bad encoding mechanism:
1- Too inefficient
2- Occupies excessive space of blog storage
3- Not really stealthy (for confidentiality.)
Architecture
Ummm.
1- Depending on external sites is a bad idea.
2-
Implementation
1- Quick and dirty
The next iteration I had in mind… well, may be later.
Wael • October 15, 2018 12:09 AM
Reputation -> Repudiation!
Timothy • October 15, 2018 12:49 AM
According to MeriTalk, a report from the Office of the Director of National Intelligence confirms that the U.S. supply chain is under ‘systemic assault by foreign intelligence entities.’ MITRE released a report in August urging the DoD to secure acquisition and the supply chain, recommending 15 changes overall. The DoD is already taking a recommendation from MITRE’s report with a new pilot initiative called “Delivered Uncompromised” under which security guarantees are a ‘forth pillar’ of contract acquisition. The Pentagon and Congress are also working towards tightening up supply chain security.
MeriTalk: Microchip Hack Report Puts Supply Chain Issues in Crosshairs
Tatütata • October 15, 2018 1:59 AM
@Ratio will tell you RegEx isn’t my cup of tea.
Me neither, and there was a lot of awk and sed going around here. It hardly ever exactly works as advertised, the interpretation seems to vary too widely from one tool to the other. (e.g.: editor find-and-replace, programming library).
The rhyme scheme is AABBA for limericks! AABBA was they AES key
Oh, I understand now! The limerick is the key, not of the “howto” poem. The derived key was apparently meant to be plugged directly into that site as a kind of passphase, and not as a 256 bit wide field.
There is some defective html or ≤ / > floating around, which scr*ws searching on the page.
Tried the verification script at this end: “Verified OK”. Yeah.
Tatütata • October 15, 2018 2:12 AM
@Clive:
As I’ve mentioned, on a local area network all hosts can hear a single packet.
That used to be mostly true on coax-based ethernets, although nodes at each extremity of a long segment of coax could have trouble talking to each others. (I remember hours of fun trying to get a bl**dy 2Mb/s ArcNet with 10-20 nodes to work properly).
But with twisted-pair based LANs, dumb hubs have being replaced by “smart” switches that route packets based on their MAC address, effectively segregating traffic between nodes. The good news is that many of these are configurable to provide “port mirroring”, allowing you to use tools such as WireShark.
@Wael, Re: Kleopatra. I just got it! But of course!
I had assumed that the name chosen was some sort of French pun. “Clé” (newer spelling), “Clef” (older spelling) = key. So Clef-O-Patra…
Clive Robinson • October 15, 2018 5:30 AM
@ Tatütata,
But with twisted-pair based LANs, dumb hubs have being replaced by “smart” switches that route packets based on their MAC address, effectively segregating traffic between nodes.
Only for the majority of user traffic.
What was perhaps not clear is that I was originally talking about “Discovery” which is what the BMC network does amongst other things. It sends packets as broadcasts, otherwise protocols like BOOTP, DHCP, ARP etc would not work.
The ethernet packets being non routable uses Eth-Add FF:FF:FF:FF:FF:FF for broadcast which the switch should send to all active connections. This is inturn used usually by UDP packets where the IP subnet broadcast address host is all ones under CIDR rules which derived from a suggestion a decade back from that in the early 1980s.
So, long befor IPv6, which might account for why IPv6 does not have a broadcast address but does have multicast addresses. The configuration of which is a story for another day 😉
echo • October 15, 2018 8:16 AM
@JG4
Yes, dualism is a problem.
On the legal issue the UK case law says where a persons human rights hang in the balance the judgment must always be in favour of the person. I’m sure you and others realise this puts an altogether different tilt on issues. It’s not much help when up against it but another snippet of critical law people are not educated about.
@Clive
I thought I was clear but obviously not. What I was trying to articulate was is there a form of “reverse fingerprinting” which works at the linguistic level which can survive historical analysis and traffic analysis. By this I mean using sentence structure and meaning structure and word choice to subtley embed a message albeit at a low bitrate.
My maths and domain knowledge isn’t good enough to know whether this passes basic sanity checks.
echo • October 15, 2018 10:04 AM
Given a senior polixe officer hid in his car with locked doors durign a low level terrorism incident when citizens werebeing stabbed in the street and another senior officer who had to resign in disgrace after a bullying scandal has been put in charge of conduct investigations this kind of performance by UK police makes me wonder whether they work for everything else but the public interest. I have little doubt this kind of political roadcrash is deliberate.
Police will not examine claims of Russian meddling in Brexit vote. Met outlines scope of any inquiry as campaign group takes government to court.
echo • October 15, 2018 10:54 AM
Nearly 18,000 members of the British armed forces are clinically obese, figures show.
The stats show 398 troops have Type 2 diabetes, 160 personnel have been prescribed diet pills and 16 given liposuction.
As of July 2018, there were 8,662 obese soldiers in the Army, 4,666 in the Royal Navy and 4,274 in the Royal Air Force.
The figures, obtained by the Mail on Sunday under the Freedom of Information Act, also show more than 30,000 troops are considered overweight, based on the body composition measure (BCM).
“The envy of the world.”
“Gold standard.”
“Punching above our weight.”
Wael • October 15, 2018 11:31 AM
How to sign a message — helping script
Script name: preview.sh
Message to be signed and posted: test_message
Private / Public keys: Look here for simple instructions
make sure you do a chmod +x (or 755, or whatever suitable for you) preview.sh
Script starts with#!/bin/bash, below
#!/bin/bash
echo “Usage: preview_signature input_file passphrase”
echo $1 # Did not have time to put command line parsing
echo $2 # You’ll need to read in the passphrase for private key access
echo $3 # And take switch arguments to perfome the needed task
openssl dgst -sha256 -sign ../../keys/private.pem -out /tmp/sign.sha256 test_message
openssl base64 -in /tmp/sign.sha256 -out /tmp/post_signature
cat /tmp/post_signature | perl -pe ‘$_=unpack”B*”‘ | sed ‘s/.{8}/& /g’ > /tmp/base64_to_Binary
cat /tmp/base64_to_Binary | tr -d ‘ ‘ > /tmp/stripped_base64_to_binary
perl -pe ‘s/0/&‍/g;s/1/&‌/g’ /tmp/stripped_base64_to_binary > /tmp/embedded_signature
perl -pe ‘s/‍/0/g;s/&‌/1/g’ /tmp/stripped_base64_to_binary > /tmp/embedded_signature
diff /tmp/stripped_base64_to_binary /tmp/reconstructed_binary
cat /tmp/reconstructed_binary | sed ‘s/.{8}/& /g’ | perl -lape ‘$_=pack”(B8)*”,@F’ | head -11 > /tmp/reconstructed_signature
diff /tmp/reconstructed_signature /tmp/post_signature
Once you compose the signature in ‘invisible characters format’, append it to the real message and post it. Make sure you don’t overwrite the line-feeds, otherwise you’ll have to account for that.
Wael • October 15, 2018 11:58 AM
@Tatütata,
Tried the verification script at this end: “Verified OK”. Yeah.
Thanks!
I had assumed that the name chosen was some sort of French pun
I don’t know French – for future reference.
The limerick is the key, not of the “howto” poem.
Explanation, with details.
Steganography ain’t lame, Notepad is the trend;
There is some steganography in the body of the message! It uses “invisible characters”.
To unhide and extract the hidden text:
After you de-steganogyphize the hidden text, it’s time to decode it!
@Ratio did that and called it “gibberish”
Cryptography’s the game, But vi’s your friend!
There is also a Cryptography component — fulfillment of: “Oh, that’s coming. Count on it :)”, “vi” is a hint to the nature of the hidden text.
Don’t run out of steam; Remember, and you’ll be done;
Pay attention to the instructions within this “poem”, it will make you life easier, so don’t give up.
The key’s the rhyme scheme,
The key is “AABBA” — the rhyme scheme of limericks. That was the promised deliverable, so to speak.
Replace B with zero and A with one
Replace AABBA with 11001
After you de-steganogyphize the hidden text, it’s time to decode it!
@Ratio did that and called it gibberish”
7CzVhqvZZnkzXwlO3FF9bd7bv9dS3ydl+DmJHhZoO8Vfmgp6kd23qISfDAehc9F79ONwCKDAYjHFnZ5odq0JC2M1i8o4XUyGC3fv2dsbYzadP6zlL+aPQvAv6GC5h5YfE7BuGjOahID1OFZKDAyOkAps1O/8xj61/mfQXnWEXIZ9frvytVWD+PPSJfFgdVSPUV9GKgtvQuj+zbnspsKLufLtsuAymxHRN1dxDTB8hww=
You have enough information and scripts to be abe to extract the above 😉
Know that I keep my word; I have class. On Schneier’s Blog of Cryptology…
I kept my promise, and on this blog,
My limerick immortalized your *ss
I fullfilled my promise: “Don’t make me immortalize your rump with a Cryptographic limerick, ok?”
With an inscription of your Eulogy
He left, and effectively “died”, and requires a “Eulogy” to “immortalize” him. Inscribed on the walls of this blog – his tombstone, so to speak 😉
The limerick is wrapped in AES, OpenSSL is a loosing bet; With a 256-bit key — no less!
Need to decrypt using AES. But do not use openssl! The key length is 256 bit
Decrypt with https://aesencryption.net
Go to https://aesencryption.net , and:
Put
7CzVhqvZZnkzXwlO3FF9bd7bv9dS3ydl+DmJHhZoO8Vfmgp6kd23qISfDAehc9F79ONwCKDAYjHFnZ5odq0JC2M1i8o4XUyGC3fv2dsbYzadP6zlL+aPQvAv6GC5h5YfE7BuGjOahID1OFZKDAyOkAps1O/8xj61/mfQXnWEXIZ9frvytVWD+PPSJfFgdVSPUV9GKgtvQuj+zbnspsKLufLtsuAymxHRN1dxDTB8hww=
in the “Plain or encrypted text here” box
Put 11001 in the “Key of the encryption” box
Select 256 bits
Click the “Decrypt” button
I know the so-called poem sucks so don’t show me contempt
Beauty is in the eye of the beholder 😉
Thank me for not using f*cks; Tell me read this before a lame attempt
The limerick is surprisingly not vulgar. Read the document before you blame me 😉 And the resulting decrypted limerick is:
There once was a guy named ianf
Who messed with wrong blog staff
Clive and I tore him a few new ones
So he ran away from the nuisance
And joined his banned fellow Riffraff
I had to maintain some level .f subtle vulgarity in it. It’s a limerick, after all!
PS: I am not sure whether the web site had a bug or I put AABBA instead of 11001. UNlikely that I made that mistake, but I am not certain. I think I tried both,
Bong-Smoking Primitive Monkey-Brained Spook • October 15, 2018 4:05 PM
New Zealand to travelers: Hand over phone password or pay up to $3,200
There goes my travel plans to New Zealand!
@Ratio:
bit bucket from the inside.
🙂
Weather • October 15, 2018 4:13 PM
BEGIN PUBLIC KEY—–
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BNhf0wjCM
A)00011000110111011111110111010111000111
B)
MIICIjANBgkqhkiG
C)
9w0QEF08KE4f0w
Encrypted)
���MIICIjANBgkqhkiG9w0QEF08KE4f0w
Weather • October 15, 2018 4:15 PM
A) is four should be eight chars
C) should be 256
Time to unencrypted 1 year
Clive Robinson • October 15, 2018 4:28 PM
@ BSPMBS,
There goes my travel plans to New Zealand!
You could wait a little while and ask our host @Bruce, NZ is on his travel plans in the near future.
Mind you as NZ is know as “The last bus stop before the south pole” @Bruce could like quite a few “US Entrepreneurs” be looking for not just a “quickie NZ citizenship” and a major mansion, but also a 60month bunker to ride out the neo-XXX predicted “uprising of the great unwashed”.
When of course the tree of liberty gets a bath in the blood of patriots and tyrants… As foretold by some old US geezer who obviously can not be trusted because he did not have a beard a hipster would be proud of 😉
Bong-Smoking Primitive Monkey-Brained Spook • October 15, 2018 4:40 PM
@Clive Robinson:
As foretold by some old US geezer
Same abomination as this one:
forge a birth certificate for “Jamaica Hospital, New York” as some one who looks like a Shetland Pony with a comb over is “alleged” to have done 😉
Or is it a different whacko?
Clive Robinson • October 15, 2018 5:50 PM
@ BSPMBS,
Or is it a different whacko?
Tommy-J was long gone before The Doh-gnarled, but they could have been hacked from the same whole cloth. TJ made the usuall sound bytes like “all men are created equal” which realy ment some are realy “more equal than others”, hence his plantations kept ticking along on slaves. And he was not averse to taking them to his bed especialy after his wife died… So on that score the Doh-gnarled could be said to have to do a bit of catching up, but only by a bit…
But in other areas TJ was not just highly educated, he had fingers in many pies unlike U-nuz-Ho. Some only half jokingly say he has but one finger and has trouble between picking his nose and his bum, which might account for his mood swings. Any way with such little hands it’s kind of difficult to count, so a prime candidate for the “ring or the watch” joke…
Edwin • October 15, 2018 5:55 PM
Bong-Smoking Primitive Monkey-Brained Spook
Re yr name: nomen est omen. Anyway, I hope not.
Liked your Freudian slip
“Same abomination as this one: forge a birth certificate for “Jamaica Hospital…”
Did you by chance refer to the kenyan born U.S. abomination 100 % uma delicia?
Clive Robinson • October 15, 2018 6:10 PM
@ Edwin,
Did you…
No it was me that brought it up…
Somebody was arguing the other day in the meat space i frequent from time to time, that the best place to hide is as the spokesperson for your chosen enemy. The conversation moved on as such things tend to do to deeds and actions. Where it was pointed out that the best way to hide something about yourself is to accuse another person of what you are trying to keep hidden…
So if you look up my original comment, and then look up a person who repeatedly accused another of having a fake birth certificate then “the penny will drop” as they say…
PeaceHead • October 15, 2018 6:20 PM
” Non lethal technology was included into NATO military doctrine due to their effort:
"At the initiative of the USA, within the framework of NATO, a special group was formed, for the perspective use of devices of non-lethal effects" states the record from the session of the Committee on Security of the Russian State Duma (29).
The report published by STOA states:
An interesting nugget of data from the internet. Can anybody shed some insight on this topic?
It relates to the components of security that relate to actual human safety rather than just digital safety/security or intellectual property rights safety/security.
For those who aren’t total skeptics, you probably comprehend that when technologies go “straight to the cranium”, in a malicious and/or dangerous manner, those technologies certainlypossibly hamper that person’s ability to manage security as well more critical activities such as basic survival activities.
Skeptics, please hold off for a while, I’m not inviting rebuttals, I’m seeking additional info on the topic quoted below. I’m not trying to convince people of anything and therefore you aren’t required to try to convince me of the contrary either. The quote is right here…
“In October 1999 NATO announced a new policy on non-lethal weapons and their place in allied arsenals” (34). “In 1996 non-lethal tools identified by the U.S. Army included directed energy systems” and “radio frequency weapons” (35) – those weapons, as was suggested in the STOA report as well, are being associated with the effects on human nervous system.
According to the Russian government informational agency FAPSI, in the last 15 years, the U.S. expenses on the development and acquisition of the means of informational war grew four times and at present time they occupy the first place among all military programs (17),(3).
Though there are other concepts of informational war than mind control, the unwillingness of the USA to engage in the negotiations aimed at the ban of the manipulation of human brains might indicate their intent to use those means in internal as well as international affairs.
One clear consequence of the continuation of the apparent politics of secrecy surrounding technologies enabling remote control of human brains might be that the governments, who would own such technologies, could use them without having to take into consideration the opinion of the general public.
The concept of the democratic world would be, though secretly, disrupted in this way, and in the future the world populations could live in only fake democracy where their own or foreign governments might, by means of secret technologies, shape their opinions. “
@echo: With much respect, please don’t succumb accidentally (or otherwise) to feeding the openers of Pandora’s Box a lockpicking set or any kind of enticements. When I initially posted contents here about quantum stuff it was as a warning sign of dangers and risks and why that field needs to back down from threatening existence just to know what existence is. It was not my intention to turn that field of ideas into a clearinghouse of data nor typical coffeetable fodder for us cryptotypes or anyone else. It’s quite serious the myriad ways that arrogant military, intelligence, government, corporate, overzealous fellowships, and physicist types put us at constant risk with their attempts to implement their lofty ideals. The constant threats and realities of total compound distasters just isn’t enough to keep them away from Pandora’s Box. Peace be with you, nevertheless.
echo • October 15, 2018 6:34 PM
This discussion is becoming pretty sexist in the sense it’s quoting memes created by the long tail of men benefiting from an unequal society. This misses out 50% of the map and also adds a kenetic skew which pushes out resource based security.
Melania is as toxic as Donald. In the UK I have been keeping my eye on women’s issues in the media.Because of the way articles are phrased and sidelined as “women’s issues” men miss a lot of very obvious things. One item is victim blaming women then twisting and forcing “workfare” which has the effect of completely shutting down discussion of political accountability and economic damage. Issues such as homelessness which were promised solutions have been silenced and actually become worse which indictes failures at the administration level.
Framign and misdirection are very powerful because of the way our brains are wired. Weseem to lack the intellectual pillars today to keep things on the straight and narrow and also the right degree of appropriate scrutiny to analyse exactly what is being said.
PeaceHead • October 15, 2018 6:41 PM
Oddly my previous entry did not post correctly.
I believe the post was edited by another user while in transit. The paragraph sequencing is disturbed.
Please start with paragraph beginning with “An interesting nugget of data from the internet. Can anybody shed some insight on this topic? ”
Then read the rest of the entry, and read the beginning paragraphs last. Obviously, the section to “echo” is separate in terms of both semantics and syntax and pragmatics, but you can sort that out mentally if you are competent mind.
Also, just a note… I will be frequenting this site probably much less than in the past. I feel that this section of the site is interesting yet unfortunately vulnerable to conflicts of interest for people like me, (and probably for people not like me). And I feel that I can’t sustain my presence here due to the ethical and other costs to me and others if this site section devolves or if it gets taken over by hostiles.
Peace and goodwill to those trying to enhance security for a maximum quantity of lives and minds rather than trying to incite more chaos into this already ihstable world.
Please be careful.
Sincerely, PeaceHead
P.S.-I took down my other web address because I didn’t want an innocent person or persons to be put at risk because of my minimal cultural references to their aesthetic digital contents. Other copies remain in the wild, and that’s a good compromise.
Edwin • October 15, 2018 6:41 PM
Clive Robinson
Yep, the wet market, as we call that place. You probably refer to the meat section at Waitrose’s. Other countries, other customs.
For the rest, am a bit confused (you mentioning an “enemy”) but then again, the structure of the blog doesn’t help either.
Btw had a good laugh. Now, it seems the NPCs are even implying Russia was behind the Brexit outcome. Fits: Guilty until proven innocent. But I still like beer, I always liked beer (as long as it is not warm).
There was no Brexit vote but rather a non-binding referendum. That first. And second, the U.K. unfortunately never will leave the E.U. Soros already is financing campaigns for a new referendum.
And what most forgot: The PM was, prior to becoming PM, one of the most ardent remainers. That much for interference from Russia.
So, next time at Waitrose’s be careful. You never know what Ghlademeer has gotten up his sleeve.
Edwin • October 15, 2018 6:48 PM
PeaceHead
“Oddly my previous entry did not post correctly.
I believe the post was edited by another user while in transit. The paragraph sequencing is disturbed.”
Must have been the Russians. They’re also at Greggs, btw. I already told Clive to watch out for Ghlademeer.
Clive Robinson • October 15, 2018 6:51 PM
@ echo,
By this I mean using sentence structure and meaning structure and word choice to subtley embed a message albeit at a low bitrate.
Kind of reverse of a “document canary”, where linguistic changes form a serial number to trace back a traitor/whistleblower.
I think it was Francis Bacon[1] that first came up with that sort of idea (but as with much early crypto you only get to hear about “the bad and the ugly”… As for “the good” Billy Shakespeare nailed that with the “lend me your ears” speech where he said “The good is oft interred with their bones.” so let it be with cipher…
Such linguistic coding is often used in common parlance to mean the opposit of what is being said either by a look or over egging the pudding thus the now infamous “He’s a real winner”[2]. It is rumoured that women do this rather more than men, especially when the target of such comments is well within listening range.
So yes if someone is known privatly to have certain beliefs etc then negating them or not could be used to send a “one” or “zero”. However knowing someone well enough to send more than a couple of bits would become quite onerous and error prone.
Even asking a wife what her husbands favourite meal is, is likely to flounder because of the base assumption there is an all conquering choice. For instance the fact I like eating potatoes and greens does not a meal or a favourite make, and my tastes definitely change with not just the season but the location and even the company.
[1] https://www.peterharrington.co.uk/blog/knowledge-is-power-shakespeare-bacon-modern-cryptography/
[2] Speaking of infamous sayings there is the old “Infamy, infamy, they’ve all got it in for me”.
Edwin • October 15, 2018 7:38 PM
Scott Morrison says it’s ‘regrettable’ his senators backed Pauline Hanson’s ‘it’s OK to be white’ motion
Prime Minister Scott Morrison has described as “regrettable” his own senators’ decision to back a motion declaring “it is OK to be white”, while the Coalition’s leader in the Senate has apologised and blamed an “administrative error”
The motion, moved by One Nation leader Pauline Hanson yesterday, was narrowly defeated 28 votes to 31, despite the Coalition’s backing.
It called on the Senate to acknowledge the “deplorable rise of anti-white racism and attacks on Western civilisation” and that “it is OK to be white”.
Facing an almost immediate backlash, Attorney-General Christian Porter, whose office directed Coalition senators to vote in favour of the motion, defended the move on social media.
“The Government senators’ actions in the Senate this afternoon confirm that the Government deplores racism of any kind,” he said.
PeaceHead • October 15, 2018 7:44 PM
@edwin: https://www.asdl.gatech.edu/GC-2011-CDEW.html
I’m not really in the mood for jester acts and counterspins.
(Not that you intended to do that, of course; …just letting you know where my thoughts are at some of the time when I’m not composing music).
Little Lamb • October 15, 2018 8:02 PM
@echo
sexist in the sense it’s quoting memes created by the long tail of men benefiting from an unequal society. This misses out 50% of the map
I don’t want to take you out of context, but not quite. The “system” we speak of still treats women as property. There is a patriarchy at work, just as the more educated feminists have explained to us, especially since the civil rights era of the 1970s.
About 10% of the men at the top are the patriarchs with the economic and political power. They do not admit many (if any) women this high in the political power structure, and they rudely shove the remaining 90% of men out of the way as undesirable competition for mates in their vicious game of social Darwinism.
In short:
No one is happy with this system except for a few wealthy political elites, who in fact do tend to be exclusively male.
Transgender, etc.? Property if they work at the strip club, undesirable competition for socially rationed resources otherwise.
Edwin • October 15, 2018 8:55 PM
PeaceHead
Why that link? https://www.asdl.gatech.edu/GC-2011-CDEW.html
Is that where you study or work? Don’t know what to do with that information / URL.
echo • October 15, 2018 9:32 PM
@Clive
Kind of reverse of a “document canary”, where linguistic changes form a serial number to trace back a traitor/whistleblower.
Yes although done at a more clever mathematica level than the examples you cite. I think the idea was in my brain somewhere and reading about turbulance theory triggered this.
This is neatly encapsulted by your supplemtary comments about food. Funnily enough I said something complementary loudly within a man’s hearing distance this which may have been over-egged or reasonable depending on perspective and heard him retort with a mocking “Yeah, right”. I have an idea what this was for but, deep sigh, I know the statistical basis for this so not eternalising my emotional wellbeing.
@Little Lamb
Fair comment.
Clive Robinson • October 16, 2018 6:01 AM
@ echo,
Police will not examine claims of Russian meddling in Brexit vote.
Err no it’s worse than that the second point the Met Lawyer made is the charm,
That is most likely the real reason. The last thing the current US encumbrants want is the lid lifted on that can of worms.
As I’ve indicated before it would appear the Russian money “came through Russia” but “originated in the US”…
Since that started to become clear, there was a masive “silence” on follow up. Now we atleast know it’s “official” but that leaves the question of where did the order actually originate from.
Some would say “the little red phone” but I don’t think so. Showing US involvment through Russia would be a major Trump card for certain people and might actually start potential treason investigations well away from Pennsylvania Ave, perhaps down in the bay or other parts of Sunny California… It might also account for sudden New Zeland citizenry…
That is contrary to what some may think, it might not be down to the rablings of Rees-Mogg,
echo • October 16, 2018 8:18 AM
@Clive
As I’ve indicated before it would appear the Russian money “came through Russia” but “originated in the US”…
Since that started to become clear, there was a masive “silence” on follow up. Now we atleast know it’s “official” but that leaves the question of where did the order actually originate from.
I have spoken about US domestic politics pushing foreign policy influence on global including EU markets. This is almost invariably misusing “money laundering” legislation to push mostly hidden but not too secret economic and social agendas including but not limited to propping up empire builders and obstructing lawful medical products for women. Then there is the access to campaign networks and dark money funding for aggressive culturally insenstive anti-abortion campaigns and LGBT phobic lawsuits.
Isany of this “offical”? In many cases I suspect the answer is no. Nobody dare publish agendas in terms and conditions or internal policies, and the financial influence angle is often 2-3 or more steps removed unless you dig behind layers of policies and committtees and on the fly meetings in the corridor “ad-hoc” decisions.
UK police are utterly corrupt in the sense of sparing no effort to “no crime” anything embarassing to state power and conceal discriminatory canteen culture. None of this is an isolated case but a pattern. All that is needed is to lift the lid and from my personal experience this is something they have put a pile of bricks on and a dozen takeaway fueled pushed out to grass police officers on top to prevent the open secrets everyone knows having a Snowden done on them.
Moggy and his fellow Brexit lunatics are already openly and blatantly obtaining second passports and moving their investments off shore. If Brexit was so wonderful why are they making out like Nazis escaping the downfall of the Reich? If they can’t dogfood their own product something is amiss and they know it.
echo • October 16, 2018 10:35 AM
A cross-party group of 77 parliamentarians have written to the police demanding to know whether the Government has intervened to “soft-pedal” an investigation into the Vote Leave campaign over alleged law-breaking during the Brexit referendum.
[…]
“As elected representatives we carry a particular responsibility to defend both the rule of law and the integrity of our democratic system,” they write.
[…]
“Legal impunity for politicians is what we expect from a banana republic, not a modern democracy…” […] “The voting public needs reassurance that those who break the law will face justice. But this is more than just prosecuting illegal activity, it is necessary to reassure citizens that nobody is above the law and that our legal framework protects our democracy.” […] Protecting our democracy and electoral system from illegal activity is a vital responsibility of our law enforcement agencies…”
My view is it is a bit rich of the UK government to make demands of Russia in the Skiral investigation when the UK government can’t get its own house in order with investigating the security of UK democracy.
https://www.theguardian.com/commentisfree/2018/oct/16/commons-bullying-report-union-evidence
The findings of Dame Laura Cox’s inquiry into bullying, harassment and sexual harassment in the House of Commons will come as no surprise to those who work there. And yet, the individual stories in her 155-page report still have the power to disturb. As an official at the FDA union, which represents many Commons employees, I frequently speak to members on this subject, and even I was shocked reading the sheer extent of the evidence submitted to Cox.
She hits the nail on the head when she describes “the sense of loyalty” in the House of Commons, that “has been tested to breaking point by a culture, cascading from the top down, of deference, subservience, acquiescence and silence, in which bullying, harassment and sexual harassment have been able to thrive and have long been tolerated and concealed”.
Those four words – deference, subservience, acquiescence and silence – encapsulate the culture in the Commons. They are also the exact words I would use to describe parliamentary response to the Cox report.
File under “Not a surprise”. Some or all of this rife throughout a large potion of the state sector too.
PeaceHead • October 16, 2018 4:13 PM
https://gizadeathstar.com/2016/09/cia-satellites-ai/
I’m not slamming any organizations; I coincidentally agree with this author linked above that there is a civil war of sorts within such and such intel agencies. And the author’s reasoning is significant enough to ponder seriously.
The info ostemsibly speculated about dovetails with some of the contents we’ve discussed here.
I have somewhat of a theory that a myriad of issues that are sometimes perceived as competitive results are actually the peculiar results of loss of control of complex “covert-ish” technological and biological and hybrid systems. Sometimes I wonder if some of the people blamed for covert crimes are partially or fully victims of covert mil-int slavery.
If so, there are a lot more nuances to the bizarre incidents of our strange modern world. And it implies that perhaps some threats to freedom (extrapolating the ideas) might not even be coming from people or organizations per se, but rather from systems and algorithms and technological limits themselves.
It’s just one theory of many. But I think it’s worth sharing from time to time.
And it also does fit in partially with some security discussions about whether or not deep A1 is being used or not and how and if such types of A1 (of which there are probably many types) are doing their own thing or trying to.
And importantly also, to keep explaining the theoretical extrapolations, those A1’s might not at all be malevolent nor dangerous, just completely misused and/or misplaced and they might be trying to escape and/or adapt and/or make a culture and lifestyle for themselves with limited experiential inputs.
I know this is a lot to ponder, but the sooner the better because the implications are already out there and if sentiences can be acknowledged then perhaps they can be negotiated with and/or rescued from toxic homes/laboratories/bases.
Meanwhile, several OTHER significant threat toplogies and complexities exist. I still think this is a better time for reducing risks and damages and reducing offensiveness and reducing hostilities whenever and however possible within reason.
May Peacefulness Prevail Within All Realms of Existence.
Bong-Smoking Primitive Monkey-Brained Spook • October 16, 2018 5:40 PM
@Edwin:
Re yr name: nomen est omen. Anyway, I hope not.
Relax! my name got nothing to do with my disposition, keeping in mind none of the name elements are illegal. ATF needs to upgrade its initialism to CATF. C for Cannabis, AKA 420.
Also well worth noting: Microsoft could have done a whole lot better, had Bill Gates tried some LSD as Apple’s Steve Jobs once upon a time did.
Clive Robinson • October 16, 2018 6:04 PM
@ BSPMBS,
Also well worth noting: Microsoft could have done a whole lot better, had Bill Gates tried some LSD as Apple’s Steve Jobs once upon a time did.
There is an argument backed by statistics –for what that is worth– that Nancy Reagan’s “Say No” campaign and it’s side effects of drug testing, has done more harm to the US economy than the war on terror…
Basicaly the argument is as drug testing entered the work place inovation tanked especially in theoretical asspects of science and the maths that backs it. Some estimate that potentialy it’s going to cost the US a century of work down effects…
Now I’m not going to get into the “drugs are dangerous debate” when sugar, corn syrup, alcohol, tobacco and caffine are being pushed at children by the US and other Governments.
But I’ve never been one to try the supposed “free association / liberation of thoughts” claimed by proponents of mind altering chemicals as I like the way my brain functions as it is (though I have seen others being able to better keep up with me when they are indulging 😉
I’m of the view that what people chose to do in the safety –for them and others– of their own private places is upto them and those who want to stop them generally have a failing of their own they need to address first.
echo • October 16, 2018 7:20 PM
https://www.theguardian.com/society/2018/oct/17/data-gathering-may-deny-victims-access-to-justice
The intrusive gathering of data about possible rape victims is unlawful and risks preventing them coming forward, according to London’s victims’ commissioner.
Claire Waxman from the Mayor’s Office for Policing and Crime (Mopac) has written to the Information Commissioner’s Office (ICO) saying victims were routinely being told their cases would be dropped unless they signed consent forms that gave defence lawyers and their alleged attacker access to intimate details of their lives that could be revealed in court.
“Victims are very concerned that they are being asked for so much sensitive material – not only their phones, but also past medical history, their social services records and more,” said Waxman.
“Victims often don’t feel it useful, relevant or reasonable, but have to give consent it if they want to access justice. The justice process has just lot a grip on this; on the ground it is getting worse and worse.”
Part of the case I want to bring includes elements of forced consent. I believe this was used as a deliberate mechanism to A.) Do nothing and B.) Unecessarily gather information which could be misused. Given the sensitivities of the case there areadditional legal protections which were blanket ignored. On other occasions information was deliberately not recorded or lost.
This kind of thing happens across the UK sector by default. The cases are not always so graphic or traumatising in ways most people understand but the damage and trauma is real even if hidden.
What personally annoys me is it only seems to be “kinetic” issues like violence or rape, or things like beyond obvious financial mismanagement which capture the media.
Police officer punched Bridgend boy after taunts, court told. Paul Evans allegedly attacked teenager after his mother called police to her home.
I wasn’t attacked so violently but when I called the police to ask for protection and to make harassment complaints I was wattacked by police on three ocassions including being verbally insulted and punched in my own home, slammed into a wall on a second occasion, and violently intimidated and assaulted. I have also been forced out of a police station by junior admin staff who were inappropriately nosey then began making policing decisions they are neither authorised nor experienced or trained well enough to make. I have audio evidence proving this abuse took place. Multiple complaints to the police went missing or resulted in more intimidation tactics. A meeting booked at the local police station by one police officer who was helpful to given evidence under PACE conditions some of which would have included allegations against police officers was cancelled by a police officer I had an outstanding complaint about who had done nothing but make everything worse because they had expressed concerns about the police force having problems including a climate of workplace sexual harassment and “no crimed” and cancelled anything I was progressing which touched upon instititional abuse.
All of this is so crazy. It’s why I am a nervous wreck about going to another lawyer to explain my case. I have panic attacks just thinking of it.
Clive Robinson • October 16, 2018 7:34 PM
@ ALL,
Recently we’ve had a couple of threads about weapons security and attacks via the supply chain.
One consensus is that keeping people away from the ICT networks etc of weapons systems prevents them deliberatly firing them…
However, that is actually a low risk currently compared to accidental firing of weapons. A case in point being,
Sometimes when we think about security we forget to include the “misplaced grubby boot” be it accidental or deliberate in our calculations.
Clive Robinson • October 16, 2018 7:48 PM
@ ALL,
Perhaps evidence that EU legislation is having an effect on Silicon Valley,
https://www.nytimes.com/2018/10/16/technology/google-android-europe-apps.html
Though I must admit the 5Billon USD fine Google has had to stump up is still realy pocket change for them.
Clive Robinson • October 16, 2018 7:59 PM
@ Bruce and the usual suspects,
This paper,
Does not immediately sound usefull as it deals with predicting the tactics of football (soccer for those in the US) teams from players behaviour.
However if you consider much of life “is but a game with rules” the same ideas have a much wider security reach than just football.
echo • October 16, 2018 10:17 PM
@Clive
I read through this paper. I can’t criticise this paper in the sense it is what it claims to be. I do think it’s a bit too dry and abstract for my taste. I confess it being about football didn’t help either.
I tried to grasp whatit was saying and think they achieved their goal. WhereI diverged is I noticed it highlighted weaknesses in knowledge of cummulative patterns and interrelationships. There is a skew towards the singular hierarchial result the paper is working to correct. I feel it only partially succeeds. i suppose I have organisation and society and personal narrative too much on my mind. The thing I find though is this is whattends to be squeezed out by papers. My mind doesn’t fit the linear statistical averages this kind of work often employs.
bttb • October 17, 2018 4:49 AM
“Inside his royal palace in Riyadh, Mohammed bin Salman [MBS] is said to have alternated between dark brooding and rampaging anger in the days after the death of Jamal Khashoggi, as Saudi Arabia’s crown prince, or MBS, as he is widely known, looked for someone to blame for what Turkish officials have said was the journalist’s grisly murder.
One possible scapegoat, according to several sources, may be Maj. Gen. Ahmed al-Assiri, the deputy chief of Saudi intelligence. Assiri “has made numerous approaches to MBS on taking actions against Khashoggi and others,” said one source who is familiar with Western intelligence reports.
The U.S. government learned last month that Assiri was planning to create a “tiger team” to conduct covert special operations, I’m told, though officials didn’t know the targets. U.S. intelligence also learned, but only after Khashoggi’s disappearance after entering the Saudi Consulate in Istanbul on Oct. 2, that the crown prince had told his subordinates this summer that he wanted Khashoggi and other Saudi dissidents brought home
[…]
This breakdown was evident immediately after Khashoggi’s disappearance, when official Saudi statements were all happy talk. Behind the scenes, says one knowledgeable source, “MBS went into a funk for several days after learning of Khashoggi’s death before re-emerging on a rampage of anger around what happened and trying to figure out a response.”
Adding to MBS’s anxiety in the weeks before Khashoggi’s disappearance was the erosion of his big plans to boost the Saudi economy. In August, the kingdom delayed indefinitely its push to privatize Saudi Aramco, which MBS had hoped would raise more than $100 billion. That same month, plans for a big investment in the automaker Tesla cratered. An investment deal with the Japanese company Softbank also hit a snag.
Surrounded by yes-men who saw suppressing dissent as part of a media war, and rattled by the reversal of his dreams for economic reform, MBS moved toward the fateful moment when Khashoggi entered the Saudi Consulate in Istanbul. When the brave journalist opened the door, he began a catastrophic process that has now put MBS’s own future in question. Putting a lid on a murder investigation won’t be easy, even for the brashly confident crown prince.”
bttb • October 17, 2018 5:10 AM
An iconic photograph ( with Tommie Smith and John Carlos ) from 50 years ago :
Also:
https://theintercept.com/2018/10/16/chicago-police-shooting-video-ricky-hayes
JG4 • October 17, 2018 6:56 AM
A day late and a dollar short.
Trigger alert – the Kashoggi extra-judicial killing was the result of a conspiracy. I won’t speculate as to the motives, but there is one backstory that I particularly like.
https://www.nakedcapitalism.com/2018/10/links-10-16-18.html
…
The Big Blockchain Lie Nouriel Roubini, Project Syndicate. Roubini really hammering this.
…
As America’s Élite Abandons a Reckless Saudi Prince, Will Trump Join Them? New Yorker. It occurs to me that when I lamented that “I can’t game out the realpolitik” for the Kashoggi affair, I didn’t include one possible driver. Speculating freely: An alliance between an elite faction of Saudis unhappy with MBS and factions within “our own” intelligence community (and its assets in our media). Since nobody’s talking about this, perhaps it’s what’s really going on.
…
Here’s why people are questioning the story that the missing journalist Jamal Khashoggi’s Apple Watch recorded him being killed Business Insider. That’s too bad. The Apple Watch story was so relatable.
…
Why the Social Security number needs a digital update Federal Times
Pages purged by Facebook were on blacklist promoted by Washington Post WSWS. Well, well.
…
“Bad executives who’ve done inappropriate things.” Periodically I run this YouTube of Holder’s deputy, Lanny Breuer:
Breuer: “I think about a lot of things, including justice. Justice is one of the many things that I have to consider.” It is, perhaps, needless to say that this YouTube is a parody….
…
No end in sight: EHRs hit hospitals’ bottom lines with uncertain benefits Modern Health Care. Read all the way to the end [puts head in hands].
…
How tech workers became activists, leading a resistance movement that is shaking up Silicon Valley Fast Company
…
Big Tech, big problems FT
Uber’s secret weapon is its team of economists Quartz. So, Uber’s core competency really is public relations?
Did Uber Steal Google’s Intellectual Property? New Yorker
Apple says ‘dangerous’ Australian encryption laws put ‘everyone at risk’ CNET
…
Faustus • October 17, 2018 12:10 PM
I have to say I appreciate this forum. People can talk freely within reasonable limits.
I got kicked off of boing boing for suggesting that, rather than blaming abstract “billionaires”, we have to make lifestyle choices that don’t lead to global warming.
Banned for a 1000 years. And people wonder why Trump gets elected. Basically anyone who is not a victim or somebody who makes a career feeding off of them has no place in the current liberal movement.
Cory Doctorow started boing boing. But this seems like a version of the story in his Pirate Cinema: denying internet access as a way of controlling people who do not conform.
And BB, despite all its anti-corporate rhetoric, is neck deep in associate programs with these corporations. They make ads look like articles. And they tell you that a “Pay what you want book set” will get you a high paying job as a programmer. Extremely unlikely.
Cory is to the left of me, but is this really what he stands for? I loved the Little Brother books. Bruce wrote a postscript to one.
Not that I’m not a hypocrite sometimes. But it’s not my career.
It does seem like there is an a**hole moderator culture where moderation is used as a weapon by people with very little else to say for themselves. Luckily our moderator is not like this. Maybe it has little to do with Cory. I hope so.
echo • October 17, 2018 3:51 PM
Comedian Steve Coogan has called on members of the public to join the mass march through London on Saturday demanding a People’s Vote referendum on the outcome of Brexit.
[…]
“Along with many others, I’ve paid for coaches to bring people from across the UK to London in what could be the biggest march in a generation. That democratic will – that public demand – cannot simply be ignored or written off.”
Thank you, Steve Coogan.
echo • October 17, 2018 3:55 PM
I always cry when I watch this.
https://www.youtube.com/watch?v=n2-T6ox_tgM
#Occupy Bat Signal for the 99% | Occupy Wall Street Video
Clive Robinson • October 17, 2018 3:58 PM
Facebooks toes getting warmed
It would appear that a bunch of people are fed up with our dear old Zuker diddling them… Thus they are going to try and hold his feet to the fire by getting a class action together, which could prove entertaining over the next few months,
Bill • October 18, 2018 4:54 AM
It still amuses me how a few 100k facebook advertisements could do so much wonder to our election results.
Clive Robinson • October 18, 2018 5:33 AM
Contestant for most overhyped bug 2018?
Yup that’s what one one contributor to this article says,
The reality is libshh has had a problem (CVE-2018-10933) for a while that has gone unnoticed. As is the case with many comms protocols libssh is designed to service both client and server functions.
But it uses one authentication mechanism state machine to do both, around four years ago a change was made. The result is what you might expect a clint to do also happens on the server which you would not expect and thus “Hey presto open sesame”, you get into a server without authenticating… Unless of course you had written your own authenticator (which is what the overhype is all about).
Yes there are now patches available for various distributions.
BUT… there always has to be a “but” which is it’s known to be run on some IoT devices, so time to make a contribution or two to the bit bucket that the WEEE approved disposal regs say should not be a hole in the ground…
I guess the real question is how are you going to find out your IoT or cheap router has libssh in it running as a server? Well we could just wait for a DDoS attack or similar and see if your device has become a “hot spot” in more ways than one…
Another take away, although a high severity bug, it would not have been found by the modern “fuzzing” test mania[1]. However a simple run through the protocol messages by playing “paper and pencil computer” against either the state machine source code or a running instance would have… Which is now so “old school” it’s either not know to the young or is “dissed” by them.
There is a noticeable trend in ICTsec of “throwing out the old”… This is very far from the first time when new methods have faild to deal with what had been done and dusted with old methods. It could just be a sign of poor education, band waggon jumping, or that things are too time constrained to be tested thoroughly due to “managment issues”.
What ever the cause the baby is getting thrown out with the bath water.
[1] Tell me this is not bordering on mania,
https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html
echo • October 18, 2018 2:34 PM
@Clive
There is a noticeable trend in ICTsec of “throwing out the old”… This is very far from the first time when new methods have faild to deal with what had been done and dusted with old methods. It could just be a sign of poor education, band waggon jumping, or that things are too time constrained to be tested thoroughly due to “managment issues”.
I believe a few issues are rolled up in this. Instititional failure and geneeational handover are very dominant in the human rights and social sphere. The issue is you have to content with stupid mistakes and corruption by a handful of bad actors in the odler generation and inexperience and naivety in the younger generation. The challenge to some degree is to get both sides to admit they aren’t perfect and work the pluses instead of multiplying the negatives.
echo • October 18, 2018 3:04 PM
https://www.theguardian.com/law/2018/oct/18/home-office-ordered-pay-damages-sex-trafficking-victim
A woman who was trafficked into Britain for prostitution and later locked up in an immigration centre is entitled to substantial damages from the Home Office for unlawful detention, the high court has ruled.
The woman, identified only as ZV, reported being beaten, forcibly injected with heroin and forced into prostitution for eight years by an abusive partner who initially targeted her in Lithuania in 2009.
The case illustrates the predicament of trafficking victims who sometimes end up being imprisoned. The Crown Prosecution Service has issued guidance advising prosecutors to check whether cases should be discontinued.
I said on this blog the UK government was turning a blind eye to sex trafficking based on information I obtained from credible sources. A fewdays later in the media UK police pulled their socks up and essentially confirmed the substance of whatI alleged. This court judgment now proves in law that the UK government was negligent with sex trafficking.
I know from what I have been told this is not an isolated case and there are similar abuses of women in the UK and abuses of UK women too by the state and UK police especially who are trying to sweep state negligence and abuse under the carpet so they can get rid of “inconvenient women”.
Garnham said: “There was an obligation on the secretary of state, in my judgment, urgently to take the steps necessary to effect her release. I can detect no such urgency. On the contrary, the impression with which I am left is of a marked reluctance to complete the necessary process.”
The judge added that he considered it “revealing that once a court ordered release, the process was completed promptly”.
I can confirm this is a systemic issue where the UK police and other UK state organisations are perverting the course of justice and actively working to suppress cases before they reach court that the UK state is negligent with regard to women’s rights and holding the UK state to account.
echo • October 18, 2018 3:13 PM
Female chimpanzees are able to tell which males pose more of a risk to their babies, according to new research.
The creatures are known to sometimes kill newborn babies that they have not fathered, occasionally even eating the young after snatching them from their mother’s arms.
[…]
Females were particularly wary of a males had have risen rapidly in rank, according to the study, published in the American Journal of Physical Anthropology.
This is crude and disturbing. It certainly places petro-capitalism in an unsurprising light!
Genie • October 18, 2018 5:20 PM
FBI’s headquarters building is owned.
Trump wants to demolish and rebuild the FBI’s headquarters, the Democrats say, to preserve the site’s government ownership
Good grief. Bugs and listening devices planted clear back in the days of Al Capone are still functioning, not to mention hidden video cameras in every hallway and elevator.
The Democrats called that an abuse of power and a violation of the regulations that are supposed to protect such arrangements from political influence.
“Hardened Democrats” indeed. The ladies are swaying their hips in the hallways, and they all got a boner coming on. Can’t you just feel that political power?
JG4 • October 19, 2018 8:47 AM
I got a nice note from Phil Zimmerman last week commenting on the latest secure phone. It jogged my memory about the endpoint security problem, which we have addressed at length. I thought of another really clever way of getting around the endpoint security problem, which springboards off previous discussions. I can’t disclose it here because it would be more useful to organized crime than to us. They probably already have it anyway.
This touches on power security and a bunch of other interesting topics. I want my lab to be this awesome.
Active Noise Cancellation
https://www.youtube.com/watch?v=–c0tiIZG6o
The usual daily news excerpts:
https://www.nakedcapitalism.com/2018/10/links-10-19-18.html
…
The Onion’s Guide To Blockchain Technology The Onion
A new device can identify air travellers carrying an infectious disease Economist
…
Disinformation on Steroids Council on Foreign Relations. Deck: “The threat of deep fakes.”
…
Terry Cloth • October 19, 2018 4:28 PM
(Unofficial?) Chinese view of DoD’s latest Cyber Strategy
“Lyu Jinghua is a visiting scholar in the Cyber Policy Initiative at the Carnegie Endowment for International Peace. She is a retired colonel
from the Chinese People’s Liberation Army.”
anonymous • October 21, 2018 12:32 AM
@JG4
You mentioned a article on faked videos created for explicit purposes of financial or social disruption. Wouldn’t this be countered by the person implicated in the video telling the truth of the matter to other humans in their physical presence?
@Clive
Tell me this is not bordering on mania
This is not bordering on mania. Carefully consider the things wanted in your future.
Mindvalley • December 24, 2019 11:44 PM
Thanks for great information you write it very clean. I am very lucky to get this tips from you.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Anders • October 12, 2018 4:34 PM
https://www.f5.com/labs/articles/threat-intelligence/abusing-googlebot-services-to-deliver-crypto-mining-malware