Friday Squid Blogging: Roasted Squid with Tomatillo Salsa

Recipe and commentary.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on October 19, 2018 at 4:00 PM • 70 Comments

Comments

RatioOctober 19, 2018 7:00 PM

Nidal Hasan: A Case Study in Lone-Actor Terrorism

Abstract

As one of the most infamous examples of lone-actor terrorism, an extensive array of studies touch on the case of Nidal Hasan, the perpetrator of the 2009 Fort Hood attack. This study strives to complement these works by conducting a micro-level analysis of Nidal Hasan and his path to mobilization through various stages, including religious intensification, radicalization, mobilization, and post-attack evolutions of his ideology. In order to produce a comprehensive review, this article utilizes a variety of previously unpublished sources, including Hasan’s full pre-trial sanity board report and documents penned by Hasan before and after the attack. The discussion also draws from interviews with Hasan himself through written correspondence, as well as conversations with Hasan’s cousin, and Hasan’s former attorney, Lt. Col. Kris Poppe (Ret). The analysis concludes with three critical takeaways. First, his faith was fundamental to the development of Hasan’s worldview and his pathway to mobilization, especially his views of hell and obedience to God. Second, despite receiving credit for inspiring Hasan to commit violence, the Yemeni-American cleric Anwar al-Awlaki did not play a primary role in Hasan’s mobilization. Third, evidence suggests that Hasan’s radicalization followed a linear trajectory. In light of myriad theoretical frameworks contextualizing the mobilization of lone actors and other violent extremists, these observations are critical to understanding Nidal Hasan’s path to the attack on Fort Hood.

ThothOctober 19, 2018 9:16 PM

@all

Google now includes their proprietary Titan M Security Module chip inside their Pixel 3.

Another new spin on the old trick of hardware backed persistent backdoors from yours truely - Google Inc.

It is claimed to have tamper resistant which means it is as good as a Smart Card chip embedded onto your phone procesing board and comes with so-called Trusted Boot which means good luck with trying to run uncertified OSes.

Good luck to those purchasing a Pixel 3. More of these might be a common sight as Qualcomm too have such projects in their new processors.

Link: https://store.google.com/us/product/pixel_3_specs

WeatherOctober 19, 2018 10:03 PM

@Thoth
I had one of those phone,and loaded "kingo root" on it OK, you still can load device driver's, but like you said a full Os might not work

echoOctober 19, 2018 10:59 PM

https://www.thurrott.com/windows/windows-10/189152/microsoft-allegedly-overcomes-performance-issues-in-its-spectre-fixes

“We have enabled retpoline by default in our [Windows 10 version] 19H1 [builds] along with what we call ‘import optimization’ to further reduce [performance] impact due to indirect calls in kernel-mode,” Microsoft’s Mehmet Iyigun tweeted this week in response to questions about improved performance on this pre-release version of Windows 10. “Combined, these reduce the [performance] impact of Spectre v2 mitigations to noise-level for most scenarios.”

[...]

Anyway, it looks like we may suddenly see a big performance boost, if you will, when the next version of Windows 10 appears in early 2019. I’m guessing that Microsoft has no plans to back-port this fix to other versions of Windows 10. After all, Intel’s security woes have simply bolstered Microsoft’s view that its customer base needs to be on the latest software versions to be safe.

While a performance increase for a security fix is welcome I dislike how Intel has slid off the hook and Microsoft continue for force uptake of versions when they introduce more compromising features in other ways.

Wesley ParishOctober 20, 2018 1:26 AM

@Bruce and the Usual Suspects

Microsoft has released a paper on keeping the peace in cyberspace:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QH

To wit:

Advancing a Digital Geneva Convention to protect cyberspace in times of peace Governments continue to invest in greater offensive capabilities in cyberspace, and nation-state attacks on civilians are on the rise. The world needs new international rules to protect the public from nation-state threats in cyberspace. In short, the world needs a Digital Geneva Convention.
Although no international agreement is ever perfect, the world has already benefited from other global covenants. The Treaty on the Non-Proliferation of Nuclear Weapons and the Chemical Weapons Convention are both examples of the international community coming together to effectively manage weapons with the potential to create catastrophic harm.

Trust but verify is a long-standing and valid rule followed by the likes of the treaty systems mentioned above. But it can be made to work. (Frexample, the US government probably offended seismologists with its claims that the Comprehensive Test Ban Treaty could not be verified, when the nuclear powers had given them so much practice in verifying the underground nuclear tests prior to the said treaty entering force. By that time they probably had at least twenty years of data proving that underground nuclear tests could be distinguished from ordinary seismic events. I wish I could remember if Trudeau did a Doonesbury on absurd US claims on test ban verification; it sure deserved it.)

sPhOctober 20, 2018 1:04 PM

The Bloomberg story keeps getting weirder - I hope Bruce is tracking it for future analysis and posts.

JG4October 20, 2018 2:19 PM


@the usual suspects - It may already have been mentioned that the right to repair is going to come into conflict with the problem of projected intent. As we walked on Spookwerks Circle yesterday, we talked about the problem of self-driving cars being improved by their owners vs. hacked by bad actors. Sometimes those are the same thing, when a good actor makes a mistake. I pointed out that the auto insurance companies don't want accident rates to go down, at least in the long term, and that health insurance companies don't want medical costs to go down. In point of fact, self-driving cars will bring auto fatality rates into line with commercial aviation. There was a brilliant story on NC this week that I didn't link.

https://www.nakedcapitalism.com/2018/10/links-10-20-19.html
...

Cuttlefish wear their thoughts on their skin Nature (furzy)
...

Robotic indoor farms can grow food anywhere, anytime ZDNet (David L)
...

How blockchain could actually damage voting security Asia Times
...

Big Brother is Watching You Watch

Smart home makers hoard your data, but won’t say if the police come for it TechCrunch

Apple CEO Tim Cook Is Calling For Bloomberg To Retract Its Chinese Spy Chip Story BuzzFeed

Buggy software in popular connected storage drives can let hackers read private data TechCrunch
...

My Morehouse Brother Chinedu Okobi Died After Being Electrocuted by Police. Tasers Are Not “Less Lethal” Weapons. Intercept
...

Why Kodak Died and Fujifilm Thrived: A Tale of Two Film Companies PetaPixel (David L)
...

echoOctober 20, 2018 5:14 PM

https://www.theatlantic.com/science/archive/2018/10/beyond-weird-decoherence-quantum-weirdness-schrodingers-cat/573448/

The Universe Is Always Looking. The one thing you probably understand about quantum physics is actually a poor metaphor for the modern state of the field.

I've been watching dcoumentaries on black holes and quantum mechanics and the atom and lots of interesting stuff like this. I have discovred thata lot of mainstream documentaries and media articles tend to badly explain things or not quite get it or miss new and interesting things. This article gets most of the way there with explaining the nature of reality including the quantum world and the world we experience as well as explaining how the issues can be better explained.

This article explains the issue of decoherance, and the transition between the quantum and macro state fairly well. It's disappointing in other ways as it dryly bulldozes the issue of conciousness which is one of many aspects of science that are currently an unknown which the article itself half admits but doesn't explain. While "true" within the context of this article it's a little tactless and abrupt and forgets that people reading the article are human and have emotions and a subjective view of the world which gives them meaning and enjoyment. This is more the realm of psychology and sociology or further out political and religious discourse which can be a little closed minded and authoritarian in other ways.

GenieOctober 20, 2018 11:00 PM

FBI: Bad News for Hacker
Latvian Man Used Fake Ads on Newspaper Websites to Spread Malware

We need a better, cheaper, and faster approach. You can't leave the "back doors" of your computer wide open for the world and then scream FBI every time some JavaScript page starts running a bit slow.

Nor can I be expected to risk international extradition and arrest when I program a computer, either.

Five years on the loose? Cold case. The hotel bosses who hired the guy got off scot free, and they went after the little fish as usual.

Clive RobinsonOctober 20, 2018 11:43 PM

Accident or design?

    The special pathos of technological tragedies is that the engines of our destruction are machines that we ourselves design and build.

Is a quote from,

http://bit-player.org/2018/another-technological-tragedy

Which describes in a more readable way the results of a preliminary NTSB report into what led upto,

    Dozens of fires and explosions [that] rocked three towns along the Merrimack River in Massachusetts. By the end of the day 131 buildings were damaged or destroyed, one person was killed, and more than 20 were injured. Suspicion focused immediately on the natural gas system.

To anyone who has ever designed parts of distributed Petro-Chem systems the recurrent problem of pressure control systems is one that haunts.

The first one burned into my memory was the Piper Alpha Disaster[1] in the North Sea of the Scottish coast thirty years ago.

The bare statistics for Piper Alpha were, On 6 July 1988 there was, an explosion and resulting oil and gas fires that destroyed a combined Oil and Gas platform, killing 167 people, with a loss of around 10% of UK Off Shore production and a total insured loss around $3.4 billion.

Making it not just one of the costliest man made catastrophes ever, but in terms of lives lost and industry impact it is still considered the worst offshore oil disaster. Oh and it very nearly brought down the Insurance industry as well.

Both disasters happed during "live maintainence" and in both cases the failure of pressure control systems was a major contributing feature to the disaster. Pressure control systems are not inherently fail safe be they human or technological in control and thus both over and under preasure problems exist continuously. This often results in increased flow of gas or oil into an existing emergancy turning it into an inevitable thus predictable disaster.

When we hear of potential "Terrorist or State Level" attacks on infrastructure few outside of a small community of technologists realise just how fragile some systems are. Or how prone systems are to all forms of cascading failures that like the exploding of a nuclear bomb go from just one or two seemingly tiny events into almost unimaginable consequences.

Few software or for that matter electronic hardware designers ever get formal training in "Intrinsically Safe" or similar design methodologies. Thus few have any idea of how cascade failures start, progress, or finish. Managment in particular do not want people to know thus the majority of people don't get to know or have a say in what is in reality life and death decisions being made about them. That is by a group of people who's primary interest in life is profiting by externalising risk onto others.

They majority only get to hear of "tragic accidents" at the time of a disaster, not how they could and should have been prevented by sensible design. Even when against industry lobbying legislators do act it is almost always insufficient.

As an engineer with a modicum of experience in the area of safety systems it becomes daily more worrying about the direction industries are led. From the very top the direction is to use ever cheaper ill thought out and irresponsibly designed and produced systems in essence for "the cheapest price" so as to maximise "Shareholder value".

When I look at Internet of Things (IoT) I don't ask "if?" it will create a disaster, nor do I ask "when?" such a disaster will occur, I simply ask myself "how big?" a disaster will it take to get through to people, especially legislators...

[1] https://en.m.wikipedia.org/wiki/Piper_Alpha

David RudlingOctober 21, 2018 4:10 AM

@Clive Robinson
Accident or design?

A particularly good addition to Bruce's discussions on the risks of IOT with a very interesting link. Thank you.

JG4October 21, 2018 7:01 AM


Thanks for the ever-helpful discussion.

https://www.nakedcapitalism.com/2018/10/links-10-21-18.html
...

Net Neutrality

Entire broadband industry sues Vermont to stop state net neutrality law Ars Technica

...
Big Brother IS Watching You Watch

Smile! The Secretive Business of Facial-Recognition Software in Retail Stores New York magazine
...

This is the bit that I referenced yesterday:

https://www.nakedcapitalism.com/2018/10/links-10-18-18.html

Did Uber Steal Google’s Intellectual Property? The New Yorker. Nice people we have at Google:

One day in 2011, a Google executive named Isaac Taylor learned that, while he was on paternity leave, [robot car maven Anthony Levandowski, who later left for Uber,] had modified the cars’ software so that he could take them on otherwise forbidden routes. A Google executive recalls witnessing Taylor and Levandowski shouting at each other. Levandowski told Taylor that the only way to show him why his approach was necessary was to take a ride together. The men, both still furious, jumped into a self-driving Prius and headed off.

The car went onto a freeway, where it travelled past an on-ramp. According to people with knowledge of events that day, the Prius accidentally boxed in another vehicle, a Camry. A human driver could easily have handled the situation by slowing down and letting the Camry merge into traffic, but Google’s software wasn’t prepared for this scenario. The cars continued speeding down the freeway side by side. The Camry’s driver jerked his car onto the right shoulder. Then, apparently trying to avoid a guardrail, he veered to the left; the Camry pinwheeled across the freeway and into the median. Levandowski, who was acting as the safety driver, swerved hard to avoid colliding with the Camry, causing Taylor to injure his spine so severely that he eventually required multiple surgeries.

The Prius regained control and turned a corner on the freeway, leaving the Camry behind. Levandowski and Taylor didn’t know how badly damaged the Camry was. They didn’t go back to check on the other driver or to see if anyone else had been hurt. Neither they nor other Google executives made inquiries with the authorities. The police were not informed that a self-driving algorithm had contributed to the accident.

C’mon, let’s be fair. Who keeps track of collateral damage?
...

Bob PaddockOctober 21, 2018 9:46 AM

@Clive Robinson

"Few software or for that matter electronic hardware designers ever get formal training in 'Intrinsically Safe' or similar design methodologies."

For 22 years I designed coal mining equipment. While in one mine I watched a fellow walk into a cross-cut, pull out his lighter and light up a cigarette. Making me think at the time 'Why did I have to break my ass with this IS stuff?'

In a different mine, ponder what are the electrical properties of a Band-Aid at 4400VAC?:

I once asked the longwall foreman that I was with why the 4400VAC trailing cable (powers the shearer) had so many Band-Aids (several layers deep) on it, "did it get an ouchy or what?" I recall asking. His answer was chilling: "Management thought we were using to much electrical tape, so they refused to give us more. They don't care how many Band-Aids we use." A rock had fallen on the armored cable damaging the insolation.

The users (The Flik My Bic guy in this case) and Management are often found at fault far more than than the system designers.


GenieOctober 21, 2018 11:27 AM

@Bob Paddock

For 22 years I designed coal mining equipment. While in one mine I watched a fellow walk into a cross-cut, pull out his lighter and light up a cigarette. Making me think at the time 'Why did I have to break my ass with this IS stuff?'

That's a catch-22. Damned if you do, damned if you don't. If people are paranoid of starting a flame, then the mine will fill with combustible gases. If people have no fear of lighting a match anywhere, there will probably be no problem. Strike anything with a hammer or use tools in a mine, you make a spark anyways, don't you?

Otherwise, coal dust is probably just plain hard enough to breathe without the cigarette smoke, and the air gets plenty stale enough as it is without it.

I'm trying to guess, but how much safety is superstition, "this is how it's done," and noticing that something's a little bit off if it's not done the usual way?

TimothyOctober 21, 2018 1:07 PM

To further address a different threat vector affecting election security, the Senate Judiciary Committee held a hearing in June 2018 titled “Protecting Our Elections: Examining Shell Companies and Virtual Currencies as Avenues for Foreign Interference.” One witness, Scott Dueweke, President of The Identity and Payments Association (IDPAY) and Director of DarkTower, alerts the committee of the risks of cyptocurriencies and other hard-to-trace virtual currencies that can be used to fund political campaigns and political ads.

According to his testimony, “Every state except for Kansas allows Bitcoin contributions.” He also testifies that a former White House aide who is running for Congress has raised $200,000 in virtual currencies “in spite of the Fair Political Practices Commission in California recommending campaigns to not accept cryptocurrencies because their transactions are considered ‘virtually impossible to trace.’”

He says that many of the ads placed by Russians to influence U.S. elections were paid for with the Russian centralized virtual currency Qiwi. Dueweke testifies that Visa partnered with Qiwi on a virtual wallet in 2011 and that there are approximately 18.5m Visa Qiwi wallet accounts that make sending money internationally easy. He recommends joint international efforts to authenticate identities especially as they pertain to political contributions and advertising.

echoOctober 21, 2018 3:46 PM

@Clive

I have contacted a lawyer to essentially force a management meeting before any lawyer is involved in the case due to governance and professional standards concerns. I have grave concerns for my safety and wellbeing given known failures and ingrained practices. We will see what happens but given how I was abused by the UK state sector if new lawyers display a similar lack of care I'm not sure words can convey the depth of injustice - that establishment and police can bully and harass and threaten and sexually abuse and commit violence and treat people like cattle with impunity.

Because of abuses of trust in the past I will not be informing them of the details of Plan B.

@Clive, @Genie

The UK is being currently being investigated by the United Nations for systemic failures and abuses. The concerns you cite are relevant. I believe Brexit is part of this mess even if not obviously or directly but definately a consequence of the UK government working activel;y to avoid EU treaty obligations and obligations under the European Convention. With regard to Lord Neubergers opinion prior to his retiring from the Supreme Court he claimed that a failure of UN treaty responsibilities would require the resignation of the UK from the UN security council.

echoOctober 21, 2018 4:15 PM

http://www.osnews.com/story/30811/It_isn_t_how_often_MS_updates_Windows_it_s_how_it_develops_it

The latest Windows feature update had to be pulled due to a serious data deletion bug, so it makes sense to take a good look at the development process of Windows, and what can be changed to prevent such problems from appearing again.

I dispair of UK statesector who hide behind the bad and prcesses and "get off" after pseudo-investigations with citizens left to fix the mess they created. Large coporations are no different. Whatever happned to quality and customer service and putting things right? It's the whole mentality of the thing I don't like.

https://www.bloomberg.com/view/articles/2018-10-20/putin-s-big-military-buildup-is-behind-nato-lines

Putin’s Big Military Buildup Is Behind NATO Lines. Bolstering Kaliningrad sends a worrying message to Eastern Europe.

The geo-politics of this is messy. I don't buy "OMG Russia!!!" scare stories but neither do I buy Russian macho posturing and constant irritations. Given Russia is in the backyard of the EU and constructive political and trade and military talks are more our business than Americas I would welcome a greater role for the EU in securing a safe and stable long-term settlement with Russia.

I have a personal dislike of enclaves.

https://en.wikipedia.org/wiki/Kaliningrad_question

WeatherOctober 21, 2018 5:03 PM

Windows Xp Sp3 has a notepad exploit with the default text view

Characters from 0x00-0x81 had a value between 3-7 depending on the chactor, if you generated a file were the value added up to fffffffe then had a chactor between 0xx82-0x90 it would had 2 to the value but skip the check of ones less or above 82-90 causing a wrap around bug, a file about 350mb was need, apone deleting the file the recycling bin would crash,

More modern Win Is might suffer from the same code reuse, but can't find a Poc on Google about the bug.

Better late than never I suppose

echoOctober 21, 2018 7:35 PM

https://www.independent.co.uk/news/uk/home-news/domestic-violence-victims-police-court-orders-nmo-report-a8590831.html

Tens of thousands of domestic violence victims could be at risk of abuse because police are unaware of court orders against their attackers,...

[...]

“Every time they put it in their handbag or pin it to their fridge, they are reminded they are a victim, and of the trauma they had to go through. The onus on the victim to relive the trauma every time they see that paper is fundamentally unacceptable.”

Many victims take action against abusers through the civil court system rather than the criminal system because it is a less stressful, protracted and upsetting, according to the research.

[...]

“While I agree that we must do more to share information in order to better protect victims, I am concerned that a national register of all restrictive orders will require substantial investment and may lead to unreasonable expectations of policing to enforce matters well beyond our remit of safety and justice.”

Women who have been abused often on their own time and expense secure civil court orders. This saves a huge amount of police and court resources yet at the same time the police complain about the costs of proper administration and a simple database system to provide universal enforcement of these court orders. What is equally horrible is Deputy Chief Constable Louisa Rolfe, of the National Police Chiefs’ Council, is a woman herself and joining in with institutional indifference by parroting the management line. The idea that "implications for victims, policing and other agencies are not yet assessed or understood" is yet another repeat of the "more research is required" line in healthcare which is code for not paying attention to what women are telling the police or what the data says and getting their ducks in a row for sticking their hands out to the treasury for more money. The police like the rest of the state sector have duties and obligations framed not just by case law but also by statute and they continue again and again to shirk their responsibilities. The handwaving the police conclude with is another familiar line of spouting off about expensive requirements and being flooded with timewasters. This is a very cynical and underhand way of telling women who in some cases have had their lives destroyed sometimes because of police "no crimeing" and "inaction" that women don't matter.

Suzanne Jacob, of Safe Lives, said: “Technology is moving on fast but key agencies in the UK are not keeping up. We can order specialist dog food from the other side of the world in three clicks, but we can’t rely on systems used by absolutely crucial agencies to safeguard us from harm. That’s completely unacceptable. To change this antiquated approach requires real leadership and investment – patchy improvements are not enough and will not keep people safe.”

Yes exactly this and it is not the only instance of how the UK state has fallen behind what is possible and changes in society.

I wouldn't be surprised if I was coding before most police officers today were even born. To have to listen to the police spout this template of stupid nonsense like I and other women are idiots and swallow their PR tricks is insulting.

ThothOctober 22, 2018 12:04 AM

@Timothy

Hyperledger on Wiki: https://en.wikipedia.org/wiki/Hyperledger

Hyperledger blockchains are based off Etherehm and a modified Ethereum Virtual Machine to execute smart contracts with a permissioned blockchain setup with identities are managed via X.509 certificates and a sort of closed off Certificate Authority for the particular blockchain would be used to manage members in the permissioned blockchain and their identities.

Note that membership is controlled by a central authority with a centralized form of CA not open to the public.

TimothyOctober 22, 2018 3:10 AM

@Thoth

Hyperledger is a bunch of Open Source blockchain technology funded by Linux Foundation and with many supporting institutions and institutional investors.

I didn’t realize how many major organizations were involved. Apparently 14 new members recently joined the Hyperledger consortium, including FedEx and Honeywell, bringing the total up to 277 organizations.

You mentioned the Monetary Authority of Singapore and Project Ubin and that’s led me to a really well-organized report authored by Deloitte and the Monetary Authority of Singapore titled “Project Ubin: SGD on Distributed Ledger.” From Deloitte:

[W]e provide a brief overview of DLT... while outlining Project Ubin, which places a tokenized form of the Singapore Dollar (SGD) on a DLT. Singapore may be the first major financial centre in Asia to fully explore the benefits of DLT across a broad set of transformative applications.

How fascinating and forward-thinking! Great conversation, as it was just today that I saw an article about Tether and stablecoins. To add to that, Hyperledger tweeted an article about more companies rolling out blockchain test pilots and leveraging blockchain-as-a service. (“Blockchain to generate more than $10.6B in revenue by 2023”). Walmart via a blockchain pilot project concluded that their ability to trace the data attributes of a food item, mangoes for this proof-of-concept, from farm to store was reduced from seven days to just 2.2 seconds. As they said: “That’s ‘food traceability at the speed of thought.’” That is truly impressive.

ThothOctober 22, 2018 6:12 AM

@Timothy

Also a note that my current batch of customers are mostly made up of organizations and people (including those in the financial sectors - banks and government) that are querying on Cryptocurrency and Blockchain security that makes the current bulk of customers for now.

Whether it is a stupid idea to move to Blockchain or not, we don't know. What the MAS have done is created room for discussions and security vendors like me and many others to provide our products and services.

It is not just on the business side that it opens new domains for business opportunities but it allows more exploration of possible use cases and to simulate scenarios via the Government's sandbox setup.

Who knows what would come out of the sandbox project.

We may not like certain technologies as they are and instead of just making noise about it, I personally believe in wading in and trying to find innovative solutions to problems and see how it progresses.

Bruce SchneierOctober 22, 2018 8:41 AM

@Wesley Parish

"Microsoft has released a paper on keeping the peace in cyberspace."

Is this document new? Microsoft has been pushing this idea for years.

Bruce SchneierOctober 22, 2018 8:43 AM

@sPh:

"The Bloomberg story keeps getting weirder - I hope Bruce is tracking it for future analysis and posts."

What's new? At this point, everyone and their cousins are denying the story, and Bloomberg is refusing to back down -- saying that its sources are credible and the story is true.

I am suspicious of the story, because if it were true I would have expected to have seen a photograph of the Chinese implant by now.

FaustusOctober 22, 2018 9:34 AM

@Thoth

What are you suggesting? That we know something about a technology before condemning it? That we improve on prototypes of new fangled things like cars, airplanes, spaceships, computers and blockchains rather than discarding them based on first prototypes? Man, you are reasonable. Come here and sit by my fusion fire!!

I am totally flumoxed why people are reflexively against blockchains in election software, especially if we are going to have election software anyhow, rather than a traditional system.

"Traditional ballots are perfect!!" boffins scream, seemingly discounting how easy it is to disappear pieces of paper or full ballot boxes. Even is the absence is detected, the courts will just shrug. How do you count something that doesn't exist? Whose votes are missing? They never read numerous articles of ballot boxes disappearing wholesale throughout the world. "We'll have two guards on each ballot box", and one guard to guard those guards. I've never heard of police malfeasance (since I start singing to myself and closing my eyes whenever it is suggested) and only the other party ever cheats."

Blockchains guarantee the integrity of the stored data. A sensible transparent system (mot the WV one) will allow people to positively confirm their specific votes via software that shows them the arbitrary data that they provided at voting and also allows them to run their own tallies and checks with an uncontrolled variety of open source software. Total votes should be in line with registrations. A few people can refrain from voting (so many do already) to verify that no one is voting in their stead. If the vote is corrupted, an internet system facilitates s quick revote.

This answers, as far as I can see, every concern about vote hacking. Your vote is confirmable by software provided by you and the totals are also verifiable by DIY methods.

The one reasonable concern I've heard is that this system enables people to sell their vote. I think this is a minor consideration as we effectively do already by electing whoever best panders to us.

Sancho_POctober 22, 2018 9:37 AM

@Bruce, Wesley Parish

Yes, very sad.
Another “paper” without face (last century it was called “author”),
stuffed with dozens of buzzwords, probably written (copy/paste) by a bot.
Wait, it has no date -
So it was likely written by a human, a daydreamer!
A bot would know the date.
Is it approved? They usually don't politics.

Yes, we need peace and it would …
- Only no one cares.
Because: We know endless growth in limited space requires destruction.

Don’t pretend to believe in a happy ending:

Said the brain tumor to the liver cancer:
“Boy, less than 6% growth in the last quarter, this doesn’t bode well!”

TimothyOctober 22, 2018 1:43 PM

@Thoth

Also a note that my current batch of customers are mostly made up of organizations and people (including those in the financial sectors - banks and government) that are querying on Cryptocurrency and Blockchain security... What the MAS have done is created room for discussions and security vendors like me and many others to provide our products and services.

Until you opened the door on blockchain development, I was not aware of how proactively the banking and finance sectors were pursuing the technology or exactly why it continued to draw so much investment. In my nascent understanding it seems like there is highly-anticipated promise for improving data availability, speed, and transactional efficiencies, among many other things, and that other sectors such as manufacturing, the supply chain, and IoT are showing strong interest.

For what must be very precious spare time for you, I'm sure we are all grateful for the knowledge and perspectives you are able to share :)

echoOctober 22, 2018 4:24 PM

What is the world coming too? British schools being turned into Victorian prisons and German far-right parties trying to turn children into Hitler Youth?

https://www.theguardian.com/education/2018/oct/22/secondary-school-bans-talking-in-the-corridors-to-keep-children-calm

A secondary school has banned pupils from talking between lessons, threatening detention to children who break the rule.

[...]

“The sanction for breaking the silent corridor rule will initially be a 20-minute detention; any repeated failure to follow the school policy will result in an appropriate escalation of sanctions,” the letter said.

Some parents have criticised the announcement, with one woman, who didn’t want to be named, telling BirminghamLive, that she could not see the educational purpose of silent corridors. “It alienates young people and makes school feel like a prison rather than a place of learning,” she said.

https://www.independent.co.uk/news/world/europe/germany-afd-far-right-teachers-schools-pupils-political-views-berlin-a8595501.html

Teachers at a German school have reported themselves en masse to a far-right party after it asked pupils to spy on their political views so it could compile a list of its critics.

The AfD party has set up a system through which students can report and denounce their teachers to the party if they criticise it in class, or express related political views.

But teachers at the Lina Morgenstern School in Kreuzberg, Berlin, wrote a joint letter to the AfD asking for all their names to be voluntarily added onto the “denunciation list” it is compiling.

FaustusOctober 22, 2018 4:43 PM

@echo

The interesting question is whether you object to children being encouraged to snitch on their teachers for the views the teachers express only if it's done for right wingers? What if liberals ask children to report non-"woke" teacher viewpoints?

The more we try to control people we disagree with the more repressive our communities will become. Trying to silence anyone leads to silencing everyone except for the power hungry sadistic authorities our witch hunts empower, as your school story reflects.

It is an unvarying law that repression always ends up in the hands of the worst people, because it is only psychopaths who amuse themselves tormenting people. Whole psyches have things to do and don't have the time (nor the interest, nor the lack of empathy) needed to engage in programs of repression.

RatioOctober 23, 2018 2:00 AM

The Rise of Russia's GRU Military Intelligence Service:

[…] Whether it's the poison attack on ex-double agent Sergei Skripal in Salisbury, Britain, or a cyberattack in The Hague, the exposing of coup plans in the Balkans or the hacking of anti-doping agencies, of the U.S. presidential campaign, of the German federal parliament's computer network or of the Malaysian public prosecutor's office investigating the shooting down of an airplane over Ukraine, the GRU has been leaving its tracks everywhere. The series of blunders is surprising. But so too is the fact that this intelligence service has become so ubiquitous. Is it still even a military secret service or has it morphed into something bigger? And if so, how did GRU get there?

Andrei Soldatov also finds himself asking such questions recently. The Moscow-based journalist has spent years reporting on the world of the Russian secret services. Now, he no longer even understands it himself. He sounds a bit like a music critic who has been forced to listen to a jackhammer instead of a string quintet.

[…]

[…] Soldatov describes the story [of traces of an attack on an anti-doping conference that were found on a computer used in the attempted OPCW hack] as "a nightmare," adding that it is far more bizarre than the action in Salisbury. How, he asks himself, can a secret service act in such a dumb way? And what is going on in the heads of military officers who are sent to attack sports organizations rather than military targets?

As an aside, the unnamed “entrepreneur from Putin's circle in his home city St. Petersburg” heading Wagner is Evgeny Prigozhin, of course.

From ‘Putin's chef’ to ‘Putin's hitman’? After confessing to attacking and poisoning people on behalf of Evgeny Prigozhin, a newspaper source suddenly disappears:

Note to readers: Days before the article described below was published, someone left a severed goat’s head in a gift basket outside Novaya Gazeta’s newsroom in Moscow. Not long beforehand, the newspaper also received a funeral wreath addressed to Denis Korotkov, the author of this investigative report.

Very subtle.

MarkHOctober 23, 2018 3:05 AM

@Clive:

Thanks for the link about the Massachusetts gas distribution disaster.

It's difficult to defend against the type of fundamental error the utility company apparently made. A friend used to work at a nuclear power station, and I learned from him about the meticulous planning prior to any maintenance procedure.

It seems likely to me, that had a few more pairs of eyes reviewed the work order, somebody would have noticed the glaring omission. The best safeguards aren't necessarily technological.

That being said, I wonder (not knowing the dynamics of such systems) ... might it not be feasible to put some failsafe into the valve itself? Perhaps a fairly simple algorithm could use pressure, flow and time measurements at the valve body itself for an automatic trip -- essentially, a determination that "this combination of parameters should never occur for this length of time."

Another glaring gap is the 25 minute lag between 2 pressure alarms and some guy closing a valve. For me, it's obvious that this shutdown should be automated.

Human intervention shouldn't be required to do the safe thing, but rather to override the automatic shutdown if special conditions warrant.

WeatherOctober 23, 2018 3:05 AM

Win 2K3 ftp had a bug in cmpstr it added plus one to value from 0x00-fe but ff add two,
Didn't get far looking after someone released a fuzzer poc, but it was a Does...

echoOctober 23, 2018 3:21 AM

@MarkH

That being said, I wonder (not knowing the dynamics of such systems) ... might it not be feasible to put some failsafe into the valve itself? Perhaps a fairly simple algorithm could use pressure, flow and time measurements at the valve body itself for an automatic trip -- essentially, a determination that "this combination of parameters should never occur for this length of time."

I was watching a documentary on the Apollo missions last week and remember they said something about the fuel control systems (?) being analogue with feedback thingys and valves and whatnot. There are much cruder equivalents in Victorian engineering. If nothing else these things tend to be idiot and hack proof so maybe you are onto something!

Wesley ParishOctober 23, 2018 4:16 AM

@Bruce

Point taken. Mea culpa - I didn't look closely enough for time of origin, etc. I still think it's a good idea - it'd provide a framework for deterring the types that go for low-hanging fruit, and might provide a framework for catching those with more ambitious goals.

Anyway, something interesting about Tor, courtesy of Motherboard:

https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications

With that in mind, one UK grassroots internet service provider is currently testing a data only SIM card that blocks any non-Tor traffic from leaving the phone at all, potentially providing a more robust way to use Tor while on the go.

Now about advertising and hell hath no fury as an app scorned, which William Shakespeare did not write:

https://www.bloomberg.com/news/articles/2018-10-22/now-apps-can-track-you-even-after-you-uninstall-them

Uninstall tracking exploits a core element of Apple Inc.’s and Google’s mobile operating systems: push notifications. Developers have always been able to use so-called silent push notifications to ping installed apps at regular intervals without alerting the user—to refresh an inbox or social media feed while the app is running in the background, for example. But if the app doesn’t ping the developer back, the app is logged as uninstalled, and the uninstall tracking tools add those changes to the file associated with the given mobile device’s unique advertising ID, details that make it easy to identify just who’s holding the phone and advertise the app to them wherever they go.

No sense of proportion, some people.

jQuery? More like preyQuery: File upload tool can be exploited to hijack at-risk websites
https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/

Larry Cashdollar, a bug-hunter at Akamai, explained late last week how the security shortcoming, designated CVE-2018-9206, allows a miscreant to upload and execute arbitrary code as root on a website that uses the vulnerable code with the Apache web server. This would potentially allow an attacker to, among other things, upload and run a webshell to execute commands on the target machine to steal data, change files, distribute malware, and so on.

Patch me, if you can: Grave TCP/IP flaws in FreeRTOS leave IoT gear open to mass hijacking
https://www.theregister.co.uk/2018/10/22/freertos_iot_platform_security_flaws/

Ori Karliner of Zimperium this month detailed 13 CVE-tagged security flaws, including several that allow for full remote code execution or a denial-of-service attack against at-risk devices.

Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds
https://www.theregister.co.uk/2018/10/19/leaked_nsa_malware/

DarkPulsar itself is a backdoor that, when used with the Fuzzbunch exploit kit, gives the hacker remote access to the targeted server. From there, the attacker could use DanderSpritz with specialized plugins to monitor and extract data from the compromised servers.

Don't we just love the NSA! How many NSA networks are now compromised by the dark trinity of DarkPulsar, Fuzzbunch, and DanderSpritz? Come on, Freedom of Information request here! Aren't backdoors lovely, just loverly! Backdoors for everybody!
Wouldn't it be loverly?
Loverly
Loverly
Loverly

Loverly

echoOctober 24, 2018 3:28 AM

This is yetanother example of the UK state being overthe top when it suits itself yet when it comes to systems abnd databases to protect people the state is incapable of functioning and full of excuses and extrenely slow to even acknowledge state inadequacy let alone begin to fix the problem.

How many people arekilled by terrorists?
How many people are killed by UK state inadequcy?

https://www.theguardian.com/business/2018/oct/23/the-rogue-landlords-loopholes-how-the-law-fails-renters

JFOctober 24, 2018 7:38 AM

@Faustus

I was with you until this:

"The one reasonable concern I've heard is that this system enables people to sell their vote. I think this is a minor consideration as we effectively do already by electing whoever best panders to us"

Not so minor, but historically a fundamental problem. Grind people down enough, and votes can be had for a pittance; "Bring proof of your vote and get a free beer!"

Democracy seems so easy in concept, but in practice its design is somewhat arbitrary. In the US, the founding fathers in 1787 had a clean slate, and look at the fundamental compromises, which comprise flaws to our latter day eyes, they had to agree to, to get the constitution ratified.

Ever since, we have struggled to perfect this experiment, as the powers that be (or want to be) work assiduously to subvert it and entrench their control.

It seems to me we have an opportunity to make a leap in progress toward the integrity of elections, but only if we don't ignore historical lessons.

First, do no harm.

echoOctober 24, 2018 7:42 AM

https://www.nature.com/articles/d41586-018-07129-y
Here’s what the quantum internet has in store
Physicists say this futuristic, super-secure network could be useful long before it reaches technological maturity.

https://www.technologyreview.com/s/612327/europes-quest-for-an-unhackable-quantum-internet/amp/
Inside Europe’s quest to build an unhackable quantum internet
An ambitious project in the Netherlands aims to use quantum technology to foil hackers who try to spy on data flowing through the internet’s pipes.

bttbOctober 24, 2018 11:11 AM

From https://www.washingtonpost.com/politics/trump-and-republicans-settle-on-fear--and-falsehoods--as-a-midterm-strategy/2018/10/22/1ebbf222-d614-11e8-a10f-b51546b10756_story.html :

“President Trump has settled on a strategy of fear — laced with falsehoods and racially tinged rhetoric — to help lift his party to victory in the coming midterms, part of a broader effort to energize Republican voters with two weeks left until the Nov. 6 elections.
Trump’s messaging — on display in his regular campaign rallies, tweets and press statements — largely avoids much talk of his achievements and instead offers an apocalyptic vision of the country, which he warns will only get worse if Democrats retake control of Congress…”

also https://www.washingtonpost.com/politics/in-the-service-of-whim-officials-scramble-to-make-trumps-false-assertions-real/2018/10/23/0c271586-d6de-11e8-83a2-d1c3da28d6b6_story.html :

"The great election-eve middle-class tax cut [stated by Trump over the weekend] began not as a factual proposal, but as a false promise.

When President Trump abruptly told reporters over the weekend that middle-income Americans would receive a 10 percent tax cut before the midterm elections, neither officials on Capitol Hill nor in his administration knew anything about such a tax cut. The White House released no substantive information. And although cutting taxes requires legislation, Congress is not scheduled to be back in session until after the Nov. 6 elections.

Yet Washington’s bureaucratic machinery whirred into action nonetheless — working to produce a policy that could be seen as supporting Trump’s whim.

[...]

[a while back] The Pentagon leaped into action to both hold a military parade and launch a “Space Force” on the president’s whims. The Commerce Department moved to create a plan for auto tariffs after Trump angrily threatened to impose them. And just this week, Vice President Pence, the Department of Homeland Security and the White House all rushed to try to back up Trump’s unsupported claim that “unknown Middle Easterners” were part of a migrant caravan in Central America — only to have the president admit late Tuesday that there was no proof at all..."

bttbOctober 24, 2018 11:20 AM

From https://www.wired.com/story/mexico-migrant-caravan-misinformation-alert/ :

“Call it the era of misinformation. Call it a crisis of trust. If you must, call it fake news. The truth is that in 2018, hot-button news events are immediately weaponized online by interested parties, whether that’s foreign actors trying to undermine democracy, local politicians trying to rally their base, spammers trying to make a quick buck, even trolls in it for the old-fashioned lulz—or all of the above.

In this treacherous landscape, you need to be armed with facts, and an awareness that conversation you see online may not be what it appears, especially when it comes to divisive social issues like immigration…”

bttbOctober 24, 2018 11:38 AM

An opinion piece, https://www.nytimes.com/2018/10/23/opinion/egan-montana-gianforte-williams-governor.html :

“ [headline] The Best Way to Keep Democrats From Blowing This Election

The two biggest political thrusts of the Party of Trump — a tax cut for the rich that opened a tsunami of debt, and trying to take away health care from millions — are widely unpopular. It’s as simple as that.

We know that outrage has a minimal shelf life in the Trump era. Our president can give despots a license to kill, claim that climate change is going to magically reverse itself, make up nonexistent riots [Trump: "By the way, a lot of people in California don't like sanctuary cities, either. They're rioting there."] — and it all passes in a blur.

So it was last week, when the Mendacity Machine rolled into Montana for a rally on behalf of two of the least likable politicians in the Rocky Mountains. Trump praised one of those pols, Representative Greg Gianforte, a man with nouveau Gilded Age wealth and attitude to go with it, for committing criminal assault.

“Any guy who can do a body slam [on a Guardian journalist[1]], he’s my kinda guy,” said Trump…”

[1] Ben Jacobs, a Guardian political reporter, was asking Greg Gianforte about the Republican healthcare plan when the candidate allegedly [now, afaik, convicted] “body-slammed” the reporter.

https://www.theguardian.com/us-news/2017/may/24/greg-gianforte-bodyslams-reporter-ben-jacobs-montana

FaustusOctober 24, 2018 12:42 PM

@JF

First, thanks for following me to the offending paragraph in which I indicated I was not concerned about vote selling!!

The do no harm maxim is not really applicable. It seems we both agree that we have a flawed system. Sticking with the status quo because alternatives are only better, not perfect, is not reasonable in a world where nothing is perfect, and perfection is in the eye of the beholder.

A physician gives a cancer patient harmful drugs to fight a more harmful cancer without violating the do no harm maxim.

As far as perfection in the eye of the beholder goes: I really don't think that selling a vote is a problem. Why can't a person vote for whatever reason they wish? Obviously the poorer people are more likely to sell a vote, and I think the vote selling scandal idea really just reflects a distrust in the choices of poor people. Certainly nothing new, from the founding fathers on.

Also I really think anonymity of voting is a principle that is not compatible with security. It enables mass vote manipulation because there is no way to verify en masse that people's votes have been registered correctly. The best we can hope for is each person checking her own vote off an immutable database like a blockchain, and finding that vote by some arbitrary unique identifier that they make up and don't disclose.

Statistical methods and pervasive surveillance already can pretty much identify the enemies of a particular political view. I don't think verification officials having access to voter identity makes a big difference or creates significantly more exposure for the voter.

Clive RobinsonOctober 24, 2018 4:37 PM

@ echo,

Inside Europe’s quest to build an unhackable quantum internet

They only mention the "Distance Problem" there are others such as the "Switching Problem" to consider as well as the "Generation Problem" and the "Absorption / Attenuation Problem".

The Chinese "node to node system" gets over those problems where as the "user to user system" described does not.

The distance problem is kind of a combination of other problems and can not be overcome by the usuall communications system solution of "turning the wick up". Currently the issue is generating "Qbits on demand" at high rates. Even if you could get an increased rate other problems become the limiting factor. Thus the information bandwidth of Q-Bit Fiber Optics is going to remain a tiny tiny fraction of a percent of the ordinary optical bandwidth for the foreseeable future.

Based on what we curently know is feasable the Chinese node to node solution is fully implementable, where as the user to user model is a "single pipe" dream currently.

Like the journalist I can not see Governments alowing people to have secrets from the Extended Five Eyes group of SigInt agencies. Thus I put the probability of the EU system becoming an every day reality as low compared to the Chinese system.

bttbOctober 24, 2018 4:52 PM

From https://www.emptywheel.net/2018/10/24/who-is-paying-kevin-downings-bills-to-serve-as-trumps-mole/ :

“... What I don’t understand, however, is who is paying for Kevin Downing’s legal bills?

Using CNN’s report (based off their really valuable stake-out), Manafort has lawyers, plural, at these sessions and they had already had — through last Wednesday — around 54 hours of meetings with Mueller’s team. Assuming just two attorneys present and a very conservative $500 hourly fee, Manafort’s attorneys would have billed $54,000 just for in-person time; the real amount might be twice that.

Judge Amy Berman Jackson has already approved the order permitting DOJ to move towards seizing some $46 million in money and property tied to Manafort’s ill-gotten gains (they had to wait until October 20 to start moving on Manafort’s Trump Tower apartment), so the process of stripping these assets before any Trump pardon could forestall that process is already in the works. One explanation for Manafort accepting a plea deal was to save the cost of a trial, but his lawyers have already spent over a week’s worth of time sitting in on his cooperation sessions. Paul Manafort has been going slowly but spectacularly bankrupt since March 2016 (though he remarkably still employs a spokesperson), and forfeiture only speeds that process.

So who just paid upwards of $50K to make sure Rudy G would continue to get reassuring reports that Manafort has yet to flip on the President?

[…]

earlofhuntingdon
says:
October 24, 2018 at 12:11 pm
Possible bombs have been sent to famous rich liberal politicians [in the USA].  In the German model, the intent would be to co-opt them into agreeing to take more drastic action to protect the Homeland.  Next, the Reichstag fire.”

JFOctober 24, 2018 5:34 PM

@Faustus

You give much to think about, but let's consider that statement to which I had objected:

"The one reasonable concern I've heard is that this system enables people to sell their vote. I think this is a minor consideration as we effectively do already by electing whoever best panders to us"

Is there is a difference between selling your vote, which may elect an unethical candidate or decide a question antithetical to your interests, and voting for a candidate because they pander to your needs? I think yes. I would say the essence of democracy is your ability to vote for that which you believe to be in your best interests. Conversely, if my neighbor is induced to vote against his or her interest because they are "bought", then I think the principal of one person/one vote is violated.

"Sticking with the status quo because alternatives are only better, not perfect, is not reasonable in a world where nothing is perfect, and perfection is in the eye of the beholder."

I am not against the better, I just don't think we should go backwards where progress has been made.

echoOctober 24, 2018 9:00 PM

The issue with selling your vote is it breaches the privacy of the voting booth. Not only does this provide a verifier of loyalty but also reveals who to menace.

https://www.standard.co.uk/news/politics/no10-planted-decoy-letters-demanding-pm-confidence-vote-tories-claim-a3969371.html

Tory MPs believe No 10 have planted “decoy” letters demanding a confidence vote in Theresa May in a bid to wrongfoot the real plotters trying to unseat her.

I have no idea if this is true or not but egotism, lies, threats, and worse seem to be some politicians stock in trade.

This is very obscure but I am aware of UK establishment and state workers covertly monitoring social media then using this knowledge to threaten and punish citizens in receipt of government services whose small "p" politics didn't agree with the staff. There are claims this practice was stamped out and the more overt practice has stopped but this isn't quite true. There are is still plenty of unethical and unlawful behaviour within the UK state on a low level everyday basis including among those who should know better.

echoOctober 24, 2018 9:33 PM

@Clive

Based on what we curently know is feasable the Chinese node to node solution is fully implementable, where as the user to user model is a "single pipe" dream currently.

I read the article initially in bed late the other night and was a bit fuzzed in the head and missed that the EU project is still work in progress.

What you suggest that Five Eyes wouldn't allow it does fit with established strategy of securing networks against foreign adversaties while backdooring it as much as possible domestically. This pretty much seems to be the security model of big companies providing mass market solutions too. Psychology and sociology may haveinput here in the sense that the village doesn't scale hence the creation of abstracted walled gardens and opticons. Privacy like random numbers may be an illusion in the sense of private enough we cannot detect breaches of privacy yet still transparent so those with the skill can unwrap privacy.

The more important priority for me is verification of nodes of power within organisations. So called "trusted" nodes can be anything but and the mechanisms for removing the malwars can be limited in some cases. The UK government and large organisations don't seem as interested in security at this level as much as they should. UK policing has always been bad at prosecuting white collar crime and dismisses low level harassment and corruption as "tittle tattle" taking up "valuable" police time.

I have always felt people have unfairly sneered at PCOS (Police Community Officers). Not only do they not receive quality training they have little organisational authority. Similar is true of careworkers in the social field.

I wonder if some state models such as mainland European style proportional representation and splitting the police force similar to the French system and aspects of German federal and administrative organisation might improve UK governance and make for a fairer and more secure society.

Wesley ParishOctober 25, 2018 4:56 AM

A pile of interesting security-related stuff courtesy of Slashdot-as-pointer

New Windows Zero-Day Bug Helps Delete Any File, Exploit Available
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-bug-helps-delete-any-file-exploit-available/

Although deleting operating system files and the prospect of privilege escalation are serious threats, the bug is "low quality" and a "pain to exploit," as SandboxEscaper herself describes it.

Apple Just Killed The 'GrayKey' iPhone Passcode Hack
https://www.forbes.com/sites/thomasbrewster/2018/10/24/apple-just-killed-the-graykey-iphone-passcode-hack/#580f62a85318

Though it’s clear Apple has locked GrayShift out, no one actually knows just how the iPhone maker has done it. Vladimir Katalov, chief of forensic tech provider Elcomsoft, bas repeatedly uncovered weaknesses in Apple technology. But he was stumped too.

Google mandates two years of security updates for popular phones in new Android contract
https://www.theverge.com/2018/10/24/18019356/android-security-update-mandate-google-contract

Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.

The stick, for when the carrot won't suffice.

Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See
https://motherboard.vice.com/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online

“This is a very stupid story in the sense that you would think that a company actually selling surveillance tools like this would know more about operational security,” CSIS co-founder Peter Kruse told Motherboard in an interview. “They exposed themselves—literally everything was available publicly on the internet.”

There's an oldish English one-liner proverb, The biter bit, which seems particularly apt here.

New study claims data harvesting among Android apps is "out of control"
https://www.techspot.com/news/77077-new-study-claims-data-harvesting-among-android-apps.html

According to The Financial Times, which first reported the research, information shared by these third-party apps can include age, gender, location, and information about a user’s other installed apps. The data "enables construction of detailed profiles about individuals, which could include inferences about shopping habits, socio-economic class or likely political opinions."

and

Responding to the report, Google said: "Across Google and in Google Play we have clear policies and guidelines for how developers and third-party apps can handle data and we require developers to be transparent and ask for user permission. If an app violates our policies, we take action."

I need more info before I make up my mind.

Now if your favourite hobby is receiving obscene phone calls from the US Commander-in-Chief, you might want to reconsider your hobby:

China and Russia listen in on Trump's personal phone calls: NYT
https://thehill.com/homenews/administration/413044-china-and-russia-listen-in-on-trumps-phone-calls-nyt

U.S. spy agencies have determined that Russia and China are eavesdropping on President Trump's personal phone calls in order to gain information that they can use to influence American policy, according to a New York Times report.

Maybe they find it comforting. Takes all kinds to make a world.

Now we come to ElReg:

Ex spy bosses: Cyber-warfare needs rules of engagement for nations to promptly ignore
https://www.theregister.co.uk/2018/10/24/cyber_warfare_oracle/

Hayden emphasized that this wasn’t about setting one hard and fast rule, as different factors might warrant a different decision; rather he urged a discussion of the balance of privacy, security, freedom and liberty.

I'm reminded of something Jorge Luis Borges said in one of his very short pieces: that the unicorn is not recognized because we don't know what to look for.

That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia
https://www.theregister.co.uk/2018/10/24/triton_malware_attack/

Among the evidence presented by FireEye was the attacker's use of an IP address registered to CNIIHM and logs that showed much of the TEMP.Veles activity occurring during standard Russian business hours.

Good to see some actual evidence referred to in attribution for once, instead of the usual chuck the dart, and whatever it falls on, is thereby labeled the bullseye. Better still if we could see the logs, but ...

From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap
https://www.theregister.co.uk/2018/10/25/white_hats_pop_webex/

Cisco described the programming blunder thus: “The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.”

One of the perennial errors - insufficient validation. A lecturer I had in the 90s said throw anything and everything at the code, just to make sure you know how and why and where it falls over, so you can fix it. Also known as check your ego in at the door. FWIW

echoOctober 25, 2018 6:41 AM

@Wesley Parish

One of the perennial errors - insufficient validation. A lecturer I had in the 90s said throw anything and everything at the code, just to make sure you know how and why and where it falls over, so you can fix it. Also known as check your ego in at the door. FWIW

Apart from basic logic and inline documentation I was taught this in college years ago. My lecturers were boring in the sense that old school "data processing" was a still a thing. They never quit giving me grief because I said with the right dot matrix printer and right control codes you could print a picture.

Apple Daisy Wheel Printer graphics demo
https://www.youtube.com/watch?v=tkGigZrVMbE

As an aside Tim Berner-Lee has admitted that if he was to design URLs today he would do things different I believe due in part to the specification for URLs being a valdiation nightmare. Buried in now old code rotting on one of my archive discs somewhere is a URL parser. I remember coding it being an utter nightmare. Writing code for marked up text files wasn't fun either!

I have never understood the religious opposition to human readable files having a binary equivalent. As long as they can be parsed and translated either way and a specification is able to mandate both are supported I don't understand what the problem is.

vas pupOctober 25, 2018 8:45 AM

@Clive: new research could help mapping brain functions and development of AI models closely resembling human brain activity, but to better understand this your high level of expertise required.

Electrical properties of dendrites help explain our brain's unique computing power:

https://www.sciencedaily.com/releases/2018/10/181018141057.htm

"Neurons in the human brain receive electrical signals from thousands of other cells, and long neural extensions called dendrites play a critical role in incorporating all of that information so the cells can respond appropriately.

Using hard-to-obtain samples of human brain tissue, MIT neuroscientists have now discovered that human dendrites have different electrical properties from those of other species. Their studies reveal that electrical signals weaken more as they flow along human dendrites, resulting in a higher degree of electrical compartmentalization, meaning that small sections of dendrites can behave independently from the rest of the neuron.

Neural computation

Dendrites can be thought of as analogous to transistors in a computer, performing simple operations using electrical signals. Dendrites receive input from many other neurons and carry those signals to the cell body. If stimulated enough, a neuron fires an action potential -- an electrical impulse that then stimulates other neurons. Large networks of these neurons communicate with each other to generate thoughts and behavior.

The structure of a single neuron often resembles a tree, with many branches bringing in information that arrives far from the cell body. Previous research has found that the strength of electrical signals arriving at the cell body depends, in part, on how far they travel along the dendrite to get there. As the signals propagate, they become weaker, so a signal that arrives far from the cell body has less of an impact than one that arrives near the cell body."

JG4October 25, 2018 9:02 AM


This would have been in a recent compendium. It reminded me of the various approaches to beating the house that have been discussed here from time to time. Different house, different vulnerability, same result.

How a Gang of Hedge Funders Strip-Mined Kentucky’s Public Pensions The Intercept

Today's extract

https://www.nakedcapitalism.com/2018/10/link-10-25-18.html
...

Big Brother is Watching You Watch

‘City of Surveillance’: Google-backed smart city sounds like a dystopian nightmare RT. Kevin W: “Creepy video.”

How to Clear Your Search History Off of Google’s Servers With the Company’s Latest Update LifeHacker (David L). If you think the NSA doesn’t retain this info, I have a bridge I’d like to sell you.

The One Place in the US Google Earth Stopped Mapping Motherboard (JTM)

Thousands Of Swedes Are Inserting Microchips Under Their Skin NPR

Ecuador says Assange must sort out own issues with Britain Guardian (Brooklyn Bridge) :-(
...

TimothyOctober 25, 2018 9:48 AM

Twitter launched an Ads Transparency Center in June 2018. The center is open to everyone on Twitter and the general public. You can search advertisers and see the details behind certain types of ads.

The Ads Transparency Center has a particular focus on election communication and provides more granular details about accounts and ads involved in that process including: all past and current ads served on the platform for a specific account, the targeting criteria and results for each ad, the number of views, and more.

Further, if an Issue advertiser promotes content for a candidate running for election or discusses an issue of legislative national importance you can see more information in each Tweet’s ad details, including the identity of who is funding the campaign.

https://ads.twitter.com/transparency

Twitter has been taking stronger measures to police their platform in response to events like the foreign influence campaigns affecting the 2016 elections. The U.S. Senate Select Committee on Intelligence held a hearing “Foreign Influence Operations' Use of Social Media Platforms (Company witnesses)” on September 5, 2018. During the hearing Twitter’s CEO Jack Dorsey testified on the many measures Twitter has and will be taking to avoid the hijacking of its platform by foreign interests. These strategies include combating malicious automation, creating a political conversations dashboard, implementing candidate verification and election labels, and increasing safety measures for accessing public tweet data. (Facebook’s Sheryl Sandberg also testified. Google was invited but did not send a representative for the hearing; Google offered to send their top lawyer, but turned down the committee’s requests for either Alphabet’s or Google’s CEO.)

vas pupOctober 25, 2018 12:20 PM

Who decides the morals of a driverless car?

https://www.dw.com/en/who-decides-the-morals-of-a-driverless-car/a-46039098

"The main differences found were based on geographic and cultural divides, though all of the regions preferred sparing law-abiding bystanders when having to choose between hitting them or jaywalkers."[RIGHT!!! As a rule, who abide the law should be in better position than those who brake it. Same applied for any policy implementation - like in second citation below]

"While few codified policies have been passed for driverless cars, the German Ethics Commission on Automated and Connected Driving proposed the following in 2017: "In the event of unavoidable accident situations, any distinction based on personal features (age, gender, physical or mental constitution) is strictly prohibited. It is also prohibited to offset victims against one another. General programming to reduce the number of personal injuries may be justifiable."

Bob PaddockOctober 25, 2018 3:42 PM

@vas pup

A couple of years ago I attended a White House Office of Science and Technology hosted event at Carnegie Mellon University about Robotics. Top people from Google, Uber, CMU. many others and Government acronyms such as DARPA and IARPA were there. This is what they were most concerned with all day:

"Statistically we know that we WILL kill a Child [with our technology]. How do we handle the aftermath of that?"

They had no answer.

They also had no answer to the question of kill the people in the car, or the people not in the car.

A human driver will make a judgment, based on their own personal experiences and beliefs, and to date that human judgment can't be automated in to an algorithm.

Clive RobinsonOctober 25, 2018 6:24 PM

@ Wesley Parish, echo,

One of the perennial errors - insufficient validation.

That statement is actually an error in it's own right ;-)

Just as with everything else in life, you can have to much of a good thing, or have it in an inappropriate place / time. Which unfortunatly is mostly what happens :-(

Validation is like the problem of defence spending, you never know when you are spending to much, and the only time you know you are spending to little is when you get attacked.

As most here know most managment insist on underspend. The exception is usually the Chief Security Officer who appears to most other managers to be like a war-hawk by insisting on more spending[1].

As with both defence and validation there is always a third party supplying services in a way that is good for them but not those they are selling their services to... You can see where both the game and the money go to and neither benifits the actual purpose of validation or defence.

Like defence there is a balance for validation, to little and direct attacks are possible, to much and the issue of systems failing because validation does not happen in a usable or timely way, which means it is at best "a self Denial of Service" attack, at worse it makes DoS attacks by others that much easier...

So you have to "find the balance" which is not just difficult but it changes for every change in the system. Worse the fulcrum shifts as well so you can end up putting way to many resources in the wrong place to get the balance, which has knock on effects just as it does in the physical world.

Thus the sensible design is based around an extensible framework that can easily be reconfigured even dynamically, which can be used in a number of ways at different times and places in any given system, so not just at log-on or start-up etc. Such systems get rarely designed for various reasons both technical[2] and economic, which means there is a lack of experience in the industry in general.

One manifestation of this lack of industry experience, is what we see way more often than we should, which is standards / protocols hit with "fall-back" attacks. Basically you almost always end up with a lowest common denominator between two processes not the highest which as a direct byproduct gives the weakest security. This gets worse as time progresses, because older protocols become vulnerable to new classes and instances of attack vector.

Due to poor framework design and poor system managment whilst newer and stronger protocols "might" get added, for "backwards-compatability" reasons old weak protocols almost "never" get removed...

Worse to avoid "user confusion" what protocols are in use at any given time are effectively kept hidden from the user, thus the weak protocols get exploited somewhere, often unnoticably..

We saw this weak protocol exploitation with HTTP and the SigInt entities "collect it all" policy, eventually the word got out sufficiently loudly and some but not all have switched to HTTPS.

But fall-back attacks keep happening, either directly by an attacker to attempt to gain unautherised access, or more subtly by a Man In The Middle (MITM) attack where by a legitimate user has their communications security down graded such that their traffic becomes susceptable to not just evesdropping, but also injection attacks (this has happened with Banking Apps etc).

I've been mentioning this for several years now[3] not just here but in other places as well... But for all the take up it's had I could just as easily shouted it off of a roof top at midnight in a deserted town, where even the tumble weed blowing through appears deaf...

[1] There is however a difference between the Chief Security Officer and War Hawks. The Chief is almost always in a significant negative spending position, whilst the war-hawks are almost always in a positive spending position. That is the Chief can demonstrate that they are very much under attack and need to spend more. The war-hawks can not demonstrate that they are under any attack therefore they need to repeatedly invent new ever more existential threats that need trillion dollar defence systems...

[2] One significant technical detail is programmers inability to handle errors and exceptions correctly or even at all. The general trend is to push error checking as far to the left as possible to simplify the program logic by trying to make it not just sequential but unidirectional. The side effect of which is an error or exception can not be unwound and dealt with in another way, thus the old "Crash out and Burn" "Blue Screen of Death" etc usually prefaced with that "click to exit" error message pop-up box and attendant data loss etc.

[3] Infact for all of this century and atleast half a decade back into the previous century... Mainly to do with "financial transaction" security. I suspect that at some point there will be a major wake up call that acts as a tipping point, because we've had a few near misses with a number of communications standards and protocols over the years. But unfortunately none have quite yet reached the tipping point... but there's always tommorow ;-)

echoOctober 25, 2018 6:48 PM

@Clive

This is the same in any organisation whether a state or lower level entities. Validation in the form of human rights and similar law and policy and implementation is a useful counter balance. All of this is wired in to both the European treaties and at the last time of checking UK MOD strategy. All of this covers domestic and foreign, and military and civil sectors.

As I suspected UK police are trying to do an end run of all this and are holding their sticky fingers out for more money. This didn't take very long! In fact I believe the whole thing was a strategy from asserting authority to handwaving about social pressure leading up to the financial demand which was their true intent. There are also calls to concentrate power ata higher national level following very rapidly on from exposing the police inability to create database systems to track protection orders and the appaling lack of information sharing. Police havealso sneakily been trying to "normalise" the carrying and use of tasers while stripping people of the right to use .50 calibre rifles when in reality the licenced rifles are effectively exclusively held on military bases for competition level shooters.

The basic strategy of UK police is to break free of policing by consent and arm themselves more and resist social change while sticking their hands out for money. Money to do what? Double down? Taser more people? Build more glittering castles on the hill? Double then triple down with canteen culture and swagger like a banana republic jobsworth with a chest full of unearned decorations?

https://www.independent.co.uk/news/uk/home-news/police-funding-cuts-tories-crime-public-safety-justice-home-affairs-committee-a8600216.html

echoOctober 25, 2018 8:30 PM

https://www.theguardian.com/uk-news/2018/oct/25/all-roles-in-uk-military-to-be-open-to-women-williamson-announces

All roles in UK military to be open to women, Williamson announces. Women to be able to apply for all jobs including in frontline infantry, Royal Marines and SAS.

The UK military is now opening all roles including tier 1 special forces to women! This is on top of other reforms which have opened the doors to LGBT people. In theory the UK military is now fully inclusive.

This very definately does add capabilities UK military did not have before. In some respects this is a self-fulfilling policy as EU style human rights and equality aren't just domestic issues but issues of foreign policy. Access to these skills and insights is necessary to "understand the mind of the enemy" and "get behind the lines". It also opens up the opportunity to develop organisations with broader and more insightful views and how they position and engage with the world.

On paper at least America is now falling behind due to some very iffy politics at the top.

Clive RobinsonOctober 25, 2018 8:34 PM

@ vas pup,

With regards the human -v- rat brain issue there is insufficient information to say if the claimd of compartmentalization are valid or not.

The claim is that the human dendrites are longer and signals are weaker. Well when you consider a low frequency transmission line you have both resistance and capacitance evenly distributed along it, the signal that arives at the far end and it's rise and fall times is unsurprising related to the length of the transmission line, just like that of the dendrite.

So that is not evidence of compartmentalization just common or garden attenuation with distance.

Dendrites are a little like the roots of a plant, they have many inputs but only one output which is at the soma (neuron body). Neurons are known to trigger on not just level of potential but rates of change of potential.

If you join three segments of low frequency transmission line to form a Y of two inputs and one output you expect various effects to happen depending on the lengths of each segment and the ratios of their impedence and capacitance.

I won't go into it in detail but if you consider the neuron at one of the inputs triggers there is a short sharp burst of energy. Thus a fast rise time high potential short duration pulse at that input to the dedrite / transmission line segment. As the pulse travels down the transmission line it gets the edges slowed, the pulse widens out and the peak potential drops. Thus the transmission line acts as an integrating filter with an integration constant proportional to distance.

Each Y junction effectively sums the outputs from the two input segment integrators and puts the result into the third segment integrator.

Thus the transfer function is somewhat complex and very much dependent not just on the energy at each input but the time relationship between the inputs. If the input pulses are the same but effectively out of phase you get two seperate reduced pulses. However if they are in phase you get a single pulse but of increased energy. The pulse shape is quite dependent on the original pulse shapes and the integration constant of each segment prior to entering the summing node.

Summers and integrators are the basic functional component of an analogue computer. Thus the dendrite can be assumed to be doing not just signal processing but sequential additive computation to the soma of the neuron. The neuron body can be considdered to likewise be a summer but also with weighted gains for each soma. The resulting signal can then be considered to in effect modulate the repetition rate of the neuron pulsing.

If you look at artificial neural networks they try to emulate the neuron behaviour. However they usually do not have the integration, time delay and summing effects of the dendrites just a summing function. Likewise the neural networks generally have very uncomplicated transfer functions.

I hope that helps a bit, but the information reported is somewhat limited at best. And in my oppinion is insufficient to support the claims they also are reporting. What the researchers actually say in their paper appears to be locked behind a paywall currently.

Clive RobinsonOctober 25, 2018 9:24 PM

@ Bruce and all frequent flyers,

You need to take note of this,

https://spaceweatherarchive.com/2018/10/24/atmospheric-radiation-increasing-from-coast-to-coast-in-the-usa/

At this time of Solar minimum two longhaul flights are enough to put you in the "Radiation Environment Worker" class or use up your annual "X-Ray limit".

The problem is we realy do not know what is safe and what is dangerous with the various types of radiation. For instance predictions for Chernobyl at the time of the accident would indicate that the area would most certainly not be the haven for healthy wild life currently seen there. Likewise the predictions after the two US nukes dropped on Japan at the end of the Pacific War of WWII were more dire than have actually happened.

There is now some evidence to suggest that small levels of certain types of radiation might actually be not just not dangerous but might actually have some benifits in certain organisms.

What ever the reality is long haul flights are very unlikely to be healthy in so many ways, teleconferencing most definitely might be a better way.

@ ALL,

It's increasingly likely the UK will crash out of Europe in March comming. Whilst it might not be seen at the moment as much of an issue you need to consider the position of UK airports in Global Travel. If the UK does crash out then all EU flights to the UK will cease under current agrements, likewise aircraft crossing UK to EU airspace or back.

There are also issues that might result in all electronic communications that go through the UK currently not being connected to or through Europe...

The EU appears resigned to the inevitability of these issues, the UK Politico's are however like the alleged behaviour of Roman Emperor Nero "fiddling with themselves whilst all around them burns"...

Thus I would not be making any traval or business plans for the second and third quaters of 2019 as things are most likely going to change for the worse, a lot worse.

WeatherOctober 25, 2018 11:36 PM

Clive
They are battery in series, not copper wire, the battery's can be simed with ltspice,using capacitor which battery are, but its algorithm that you need to work out, the ai from child to adult is not the algo,
A basic version you have 256 link each is given a value, if the link gets used more it gets a higher value, but anyway in between a new link can form, which the source doesn't have the information, but it has a value,
Sort out from 256 different paths with 16 possible branch's from a to b, that is the algorithm, how do you make a long jmp

ThothOctober 26, 2018 1:03 AM

@all

As the week passes with all the huge hype and hate laid down on Blockchain technology, we simply missed the following huge issues as it passes right under our noses undetected until later on in time when it becomes difficult to reverse policies.

- National Australia Bank demoes using facial recognition to allow ATM withdrawals.
[https://www.nfcworld.com/2018/10/25/358422/national-australia-bank-demos-face-recognition-atm/]

MarkHOctober 26, 2018 1:42 AM

@Clive, re. wildlife in the Chernobyl Exclusion Zone:

My very slightly informed understanding of this, is that an environmental hazard (in this case, radionuclides from the reactor core) can do substantial harm to a fraction of individuals while leaving the population healthy.

Essentially, this is the normal condition for wildlife populations: in a robust and fairly stable population, many individuals die from predation, starvation and disease.

In the Exclusion Zone, analysis is presumably complicated by an extremely uneven geographic distribution of radioactive contamination.

Another way to think about the wildlife resurgence there, is that although radiation poisoning is a heavy stress, having people around is vastly worse :(

Clive RobinsonOctober 26, 2018 4:21 AM

@ Weather,

They are battery in series, not copper wire,

Err where did I mention "copper wire" or wire at all?

I did not, I was talking about transmission lines which can be made of many things.

In this particular case of the dendright it has resistance and capacitance per unit length.

Which you would get if you used say two thin carbon rods or two pieces of thread wetted with many types of solution like salt water. Likewise you would also get the same between the surfaces of two lengths of properly aranged semiconductor etc.

All that is required is some ability to transmit charge in a consistant and continuous way in a constrained environment.

The important difference is what I described is continuous not discrete. Your model with batteries is discrete not continuous.

Clive RobinsonOctober 26, 2018 4:43 AM

@ MarkH,

Another way to think about the wildlife resurgence there, is that although radiation poisoning is a heavy stress, having people around is vastly worse :(

I gather there are several explanations (almost as many as teams investigating).

But my point was "The original predictions" were so far off the mark they "were effectively wrong".

Thus indicating we know a lot lot less than we should do about the various forms of radiation.

If you like it's like putting a "Here be Draggons" mark on a map.

Or unquantified -v- quantified risk, the trick being how to quatify the unknown without becoming part of the experiment (a kind of reverse "experimenter effect" where the researchers main cognative concern is the experiment bites back ;-)

MarkHOctober 26, 2018 5:16 AM

@Clive:

It seems to me plausible (though I don't have nearly enough knowledge to evaluate whether it's the true case) is that the predictions for individual mortality were reasonably accurate, while at the same biologists failed to imagine/analyze how well the populations might fare at that level of radiation mortality.

Part of the point I was offering above, is that insofar as population dynamics are concerned, the effects of other causes of mortality (connected with proximity to the relentlessly destructive homo sapiens) seem to have completely swamped the effects of ionizing radiation.

Having read about human health effects from radiation for many years, my impression is that the medical understanding of these health effects is surprisingly accurate. This is partly for the sometimes tragic reason that so many people have been subjected to so many varied types and intensities of radiation exposure. There's a huge database of medical data on radiation exposures and aftereffects on which to draw.

Because fears about ionizing radiation have evoked such powerful emotional responses since 1945, there has been a lot of not-very-scientific "controversy" in which anti-nuclear alarmists propose dose/response models suggesting that medical science has it all wrong, and radiation (especially at modest rates of exposure) is a lot more dangerous than they say. As far as I am aware, such models have not been sustained by the data.

"Reading the results across" to non-human animals probably presents much greater difficulties, because the data is much more sparse.

One challenge in the Chernobyl situation is that it's probably cheaper and safer to measure populations (the size of which has MANY influences), than it is to do a sufficiently comprehensive survey to measure radiation-caused mortality (i.e., isolating a SINGLE influence).

Clive RobinsonOctober 26, 2018 11:07 AM

@ Mark H,

Having read about human health effects from radiation for many years, my impression is that the medical understanding of these health effects is surprisingly accurate

The medical profession certainly has a reasonable understanding of short term exposire above certain limits but that's only one of the four quadrants for any given total energy exposure.

It's fairly obvious why human experiments are considered unethical and even animal experiments on mammals etc.

Which gives rise to a problem with known and unknown exposure events.

With those who work with radiative EM sources from DC to Daylight and way beyond there are supposed to be exposure logs kept. However I know from long experience they are not kept or not kept accuratly for many reasons not least being of the "chicken and egg" problem of basic exposure limits combined with the difficulty of measuring the energy concentration at any point in time.

But what of those who don't knowingly work with radiative sources and apparently suffer no ill effects. These are effectively "under reported" or not reported at all. For instance in the UK people have been living with Radon gas for many more years than we knew it existed.

We also have unexplained illness "hot spots" sometimes known as "new town syndrome" where clusters of diseases that "might" be due to some form of radiation cluster around sites which were not so long ago "green field" to urban or even city sprawl. There are a lot of hypothesis but insufficient public records to start finding correlations.

It's a complex and often baffling hunt for data, especially when you know the data you will get is almost certainly going to be skewed towards harm rather than benifit. Simply because illness / sickness gets recorded, where as health does not.

It's why the likes of the Chernobyl site are receiving the attention they do, because the only "unethical" part is catching and dissecting wild animals that have chosen for what ever reason to live in the area anyway.

All we realy know about low doeses of continuouse radiation exposure is we don't know enough... Which in turn means our curent models and thus limits for EM Radiation Exposure are almost certainly wrong. Beyond that there is little we can say.

MarkHOctober 26, 2018 1:10 PM

@Clive,

Leaving to one side any health effects from exposure to low intensities of radio frequency EM radiation ... I think that for ionizing radiation, we have pretty good data for at least 3 of the 4 quadrants.

Background radiation levels vary by large factors according to location. This sets up a "natural laboratory" for assessing dose/response effects over any period of time up to the typical human lifespan.

Likewise, radon exposure (which has received significant attention in my part of the world for about 35 years) varies wildly from place to place, again providing a useful tool for assessing health effects of radionuclides in the lungs.

There are rich databases for various medical and occupational exposures, which aid in finding responses to very specific forms and doses of radiation exposure, including brief exposures to high intensities.

Thankfully, there is much less data on long-term exposure to very high doses, because (a) the precipitating circumstances would be unusual, and (b) the subjects tend to die or quit before much time has passed.

Luckily for science, the first group of idiots who decide to fly to Mars will enrich our knowledge.

Of course, separating out other risk factors and statistical noise requires a great deal of diligent and patient effort. Because health effects of radiation is a well-studied problem, a lot of that work has already been done.

Surely, there's always more to learn. But alarmist claims that medical science has missed (or conspiratorially concealed) some deadly danger from low levels of ionizing radiation -- in which all terrestrial creatures have been bathed for more than 300 million years! -- are emotionally charged piffle.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.