Sherman Jerrold October 26, 2018 6:00 PM

I realize that while a new article, this is not the entire picture. Bruce Schneier and many commenters have provided many similar insights in the past – –

The spying corporations are working with other spying Corporations and all are working with the spying government; all trying to own the sheople and destroy the last miniscule vestiges of security the public had:

Welcome to the united states, here is your foil-lined hat

RG-1 October 26, 2018 6:18 PM

DNS Manipulation and Selling Purchase History

For years it was great writing product reviews on Amazon, after the A/V technology forums were sold then monetized. The new product is the the web-site consumer!

Amazon it was rewarding just being able to write ONE review and state your point weighing the pros and cons. No need to fight the excess garbage at forums. But the advertising distortions then followed with the rise of countless fake reviews.

Now however Amazon is monetizing consumer reviews and also using purchase history to track around the Internet and display advertising. The Fire brand streaming products are also including advertising. What’s an Amazon customer/product to do?

Proactively stop the free contributions while building a wall-garden around to compartmentalize Amazon:
a) delete existing product reviews (Amazon makes this harder to do as they used to show you a single list)
b) stop writing new reviews
c) cut back purchases offset by shopping locally
d) periodically re-evaluate $120 Prime Membership
e) use a VPN when browsing to reduce tracking[1]
f) block in Ublock Origin Filtering Rules
g) remove tracking references from Amazon bookmarks
h) limit Fire tablet usage to games or education. No searches or personal interest info!
i) avoid purchasing data-gathering devices like Echo or Firesticks[2]
j) don’t buy content that can’t be downloaded
k) use fake names/ages for children

[1] As Amazon dramatically increases targeted advertising, its clamping down on ‘free’ anonymous browsing/shopping.

The powers-that-be (including ISP, AWS and DNS) have set up a coordinated system which hangs for Amazon DNS lookup. That is, a VPNs recommended DNS address may hang or work VERY slow JUST on
The bottom line is advertiser Amazon forbids shopping using certain VPN’s!
Note: I use a household router running DD-WRT with open-vpn 256 protocal.

I pondered the disturbing realization that persistent, coordinated, high level restrictions were being played at the DNS level by all powerful, yet unknown actors. This has nothing to do with Digital Rights Management excuse.

I investigated other public DNS services. No surprise as Google’s DNS also hung.
Besides changing DNS providers, I checked the DD-WRT ‘Forced DNS Redirection’ box:

Forced DNS Redirection installs iptable rules in the prerouting chain (iptables -t nat -vnL PREROUTING) that FORCE all traffic (udp/tcp) destined to port 53 to either be sent to your router IP, or DNS servers.
After DNS experimentation, is no longer blocked. Hopefully university level or cyber researchers will be able to identify who is restricting the backbone DNS Internet.

Instant Karma on Spoiled Relationship
In their quest for world domination, Big-Data Amazon has caused me a lot of pain. And not just technical or lifestyle, as they have now lost my years of carefully cultivated built-up trust. I refuse to become their new product. Hence this final review!

Apple’s Timely Warning now includes Amazon
1950s Industrial Military Complex vs. 2018 Data Industrial Complex

Apple’s Tim Cook — the only U.S. CEO to appear in person — spoke in the strongest terms, calling for a federal U.S. privacy law to match Europe’s General Data Protection Regulation, and warning about the rise of a “data industrial complex” that would work against regular people.
Today ‘Amazon Reports Another Profit but Sales Underwhelm…stock falls 9%’. WSJ reports ‘The Global Tech Backlash Is Just Beginning’.

The top corruption story of 2019 will be big-data manipulating a technically challenged Congress, attempting to water-down the new CA privacy law before it takes effect Jan 1 2020.

[2] A superior product is the Apple 4K streamer with no advertising and minimal tracking. Here Amazon is limited to being an application like Netflix.

Clive Robinson October 26, 2018 6:21 PM

@ Bruce,

Yet another problem that a blockchain-enabled supply-chain system won’t solve.

The first Director of MI5 who became “publically known” Dame Steela Rimmington earned a degree of notoriety back in Nov 2005 when she pointed out national ID cards would not solve terrorism amongst other things,

Whilst her headline points made news the underlying reason for the points she was making about the inability to tie physical objects to informational objects was lost on 99.9..% of people.

Whilst the blockchain under certain limited circumstances might protect information, that information does not link at all well to physical objects unless the information is an intrinsic, unique, and unforgable property of each physical object. Which even DNA measurments are not…

Every time I hear about using the blockchain for “real world auditing” I wonder how long it will be before this point gets made the hard way by criminals etc.

The joke of it is people talk about the blockchain being a “Public Ledger” but they obviously have not sat down with an auditor and asked about the failings of ledgers, which have been known for atleast three hundred years…

Likewise I doubt they understand the reason why “double entry” book keeping was started and it’s implications. It is after all nice to talk about multiple public copies of a blockchain, but the reality is as the number of blockchains rises, who are the members of the public who are going to keep all these duplicate copies…

Any way I shall now duck under cover as the evangelists accuse me of hearsay or some such 😉

Curious2 October 26, 2018 7:46 PM

Been reading for a while. Curious what you all think about the following security requirements:

1) the ability to record information and retrieve it later from a different device
2) the assurance that no one else can access the information
3) the assurance that access to the raw information does not imply understanding (encryption)
4) the assurance that the information is not corrupted

A tl;dr is that I want a personal “diary” that I can use across devices. What would it take to build this? What products exist that could accomplish this?

godel October 26, 2018 9:47 PM

Using AI to detect false robbery reports (for insurance fraud).

“Within a one-week period, it flagged 25 robbery reports in Murcia and 39 in Malaga, all of which were deemed false after the claimants were further interrogated. By contrast, throughout the month of June in the years 2008 to 2016, the average number of false reports that were manually detected by police officers was 3.33 for Murcia and 12.14 for Malaga.”

Tatütata October 26, 2018 11:50 PM

It is the season…

Houston Chronicle, 26 October 2018:
Voting machine errors changed votes in Cruz-O’Rourke race, group says

AUSTIN — Some straight-ticket voters have reported that voting machines recorded them selecting the candidate of another party for U.S. Senate, exposing a potential problem with the integrity of the state’s high-profile contest between U.S. Sen. Ted Cruz and Congressman Beto O’Rourke and leading good government groups to sound the alarm.

Several Democratic voters, for example, have complained the voting system indicated they were about to cast a vote for Cruz, a Republican, instead of Democrat O’Rourke as they prepared to send it. Some said they were able to get help from staff at the polling place and change their votes back to what they intended before finalizing their ballots.

And they thought they were done with counting chads… Reality imitates art again?

“Straight-ticket” voting is a problematic feature in my eyes.

Timothy October 27, 2018 12:15 AM

The baby-products company Luv n’ care, LTD. has had a problem with counterfeit versions of its products being marketed and sold to customers. Sales are being diverted from Luv n’ care to overseas pirate suppliers who are advertising counterfeited products with Luv n’ care’s trademarks and often times with their photographs. Shoppers who are lured to the pirated supplier’s website to make a purchase often don’t know that it is not an affiliated company. This costs Luv n’ care millions of dollars of lost business a year.

These pirate companies not only steal Luv n’ care’s intellectual property, but may also be running afoul of the strict U.S. health and safety laws that regulate consumer baby products. Having tested some of these counterfeited products, Luv n’ care found that the pirate suppliers often use inferior or banned materials; additionally, some products may not comply with size requirements. Such deficiencies create hazards for which both consumers and Luv n’ care have no recourse as there is no domestic jurisdiction to enforce IP laws or health and safety regulations. Luv n’ care’s IPR counsel Mr. Robert Chiaviello sees this issue as a matter that could managed by improved oversight from customs and border control.

Mr. Chiaviello had an opportunity to present this concern at a Congressional hearing held earlier this year titled “Leveraging Blockchain Technology to Improve Supply Chain Management and Combat Counterfeit Goods.” Fellow witnesses at the hearing included DHS’ Science and Technology Division Director, Dr. Douglas Maughan (formerly of the NSA and DARPA), Maersk’s Head of Global Trade Digitization Mike White, and Christopher Rubio the VP of Global Customs and Brokerage Staff at UPS.

According to Dr. Maughan, U.S. Customs and Border Protection (CBP) has been the most active DHS operational component to partner with S&T on the use of blockchain technologies. CBP currently has multiple proof-of-concept blockchain deployments to help facilitate the movement of travelers and goods.

Maersk’s Mike White had this to say about blockchain in his written testimony:

Blockchain creates an immutable record of transactions, which enable the ecosystem to track the exchange of critical information – like records of inspection, bills of lading, and customs documents. Throughout a trade, each participant has real-time visibility across the supply chain according to permission levels. Trust is built by validating the participants, authenticating transactions, distributing information, and maintaining unalterable records that are located on or accessible through the platform. […]

With access to that information, and the ability to utilize Blockchain to securely and confidentially collaborate, the industry is poised to finally realize the enormous potential offered by true supply chain digitization. […] As the network grows, its benefits will multiply and it will generate billions of dollars in savings for the industry along with entirely new approaches to global logistics.

According to a recent article some of the largest global supply chain companies are moving to blockchain technology.

Tatütata October 27, 2018 12:36 AM

@echo, re. Brain wave based authentification

I very skeptical, and would need more much information to be convinced.

We initially tried using 32 sensors all over a person’s head, and found the results were reliable. Then we progressively reduced the number of sensors to see how many were really needed–and found that we could get clear and secure results with just three properly located sensors.

EEGs are tricky to measure, much more than say, EKGs. Three sensors? The signal is of a low bandwidth. How large is the signature space, how truly unique are the patterns? How many seconds are required for an authentication, and to what degree of false positives/negatives? A sensor helmet with an electrical “bed of nails“, or even soft contacts, would IMO entail challenging reliability and hygiene problems. The method would only be as secure as the helmet itself.

If the concept is effective, I wonder whether impairment of the subject is detectable. Might be useful to detect tiredness or drunkenness.

I tried locating patent documents to the names of the researchers, or filed by SUNY.

A very cursory general search revealed about a dozen documents, mostly of Chinese origin, together with a couple of Korean ones. A good starting point. There are also two US applications, US2017242994 and US2008294907.

The Battelle document mentions US DOE sponsorship (For ICBM launching? Or a less sinister purpose?), and prior art to look into. The references go back almost 20 years. I don’t think we’ll see an operational system anytime “soon” as claimed in the article title.

The Cal Poly document uses music as a stimulus, and claim to achieve a coercion-resistant authentication system.

Clive Robinson October 27, 2018 5:17 AM

@ Tatütata,

It is the season…

But not “of good will” it appears.

Oh you might want to explain the notion of “Straight-ticket voting” and the “master lever” process that facilitates it on voting machines. Along with why it’s used as an argument for “voting machines” even though the practice is not just dying out amongst many voters[1] but the process is now illegal in increasing numbers of states[2].

Hard though it may be for some to believe, quite a few countries only mention candidates names not their parties on the ballot papers…

As Churchill once observed “You can always count on Americans doing the right thing… After exhausting all the Alternatives”… I can see the US voting system has only taken one or three steps in that very long journy 😉

[1] The fact that straight-ticket voting is declining in the US gives me hope that given time the strong trend of “My Country Right or Wrong” which is one of the bed rocks of “American Exceptionalism” is likewise waning as more US Citizens chose to nolonger abdicate their responsability politically.

[2] I’m told there are jokes about US voting machines offering master lever users the choice of “Blue pill or Red pill” but with colours transposed.

Curious3 October 27, 2018 6:29 AM


I have had similar questions. I can’t bring myself to trust Standard Notes, and although I like and use Syncthing, I have not found a cross-platform (including mobile device) encrypted text editor.

Gunter Königsmann October 27, 2018 7:37 AM

@curious2: I would give the diary an own SSH user account that has its home directory inside the home directory ofvthe user that owns it. That would allow any other diary to access the files. Then an avahi or similar service should advertise that this IP address contains a diary. …and there needs to exist a conflicts management if one uses many devices buts syncs the diary only occasionally.

RG-1 October 27, 2018 7:41 AM

Head Up His Cloud

I usually make a point and leave it at that. But Wall St is already punishing Amazon for ad saturation.
The Amazon CFO’s pathetically obvious greed has jettisoned customer trust:

‘On an earnings conference call today, an analyst asked Amazon Chief Financial Officer Brian Olsavsky whether the company’s shopping sites were fully saturated with ads.
“As far as penetration, we don’t have that quantified for you,” Olsavsky said, “but we still believe that there is a lot of room to continue to improve the presentation of bringing to our customers new and more relevant purchase options.”

The brilliance of Amazon lies in its cold efficiency. Search, click, buy. Repeat.

Not search, scroll, scroll, scroll, click, click, buy.’

They will need to pull back or they are going to see shoppers recede,” said Guru Hariharan, CEO of Boomerang Commerce, a startup that makes software tools to help brands grow their business on Amazon in an automated fashion through advertising and other methods. Hariharan worked for nearly six years at Amazon earlier in his career.’

Please prove the psychopathic CFO right by deleting your Amazon reviews.

Anders October 27, 2018 8:37 AM


Your first task is to decide (and tell us) againt whom you want to protect your diary. Kid sister ot NSA? From this everything starts…

JG4 October 27, 2018 9:16 AM

@Curious et al. – Thanks for bringing up the topic of secure remote access to information. It has been bugging me, because I often need daylight-readable information in the car and elsewhere. The secret code for looking a badly-lit LCDs in sunlight is 8u115417. I think that a secure communication system can pass messages between secure storage and any secure endpoint that you have. I wrote up a concept a while back that provided secure endpoints for secure telephony using off-the-shelf cell phones. I’ll think about extending the concepts to remote access.
…[security, as]
“I define it here, [is] 1) content, 2) metadata and 3) location. I believe that the first two are completely soluble, given a) robust encryption of the audio [with] (a sort of dual [audio] data diode) b) a secure intermediate server, and c) location spoofing. Location spoofing can be taken much further with d) a network of cell transceivers accessible by the server b).”

Is Orwell’s Big Brother Here? Bezos & Amazon Team up With Defense, CIA & ICE
Yves here. In case you hadn’t noticed, more and more pervasive personal data collection is a wet dream for police. This Real News Network interview describes how it is being used in “predictive policing” or what Philip K. Dick called “pre-crime”. And if you haven’t stopped or greatly reduced your use of Amazon, this piece makes clear why that would be in your best interest.

Big Brother Is Watching You Watch

Google’s smart city dream is turning into a privacy nightmare Engadget

They look like cops, but they’re not. And they’re all over Michigan. Detroit Free Press

Imperial Collapse Watch

Post-Cold War U.S. Foreign Policy Has Been a Near Total Failure. Two New Books Look at Why. The Intercept

Why today’s troops fear a new war is coming soon Military Times

American Defense Contractor Accused of Enslaving U.S. Citizen Linguists Daily Beast

Clive Robinson October 27, 2018 9:48 AM

@ Curious2,

Your four basic requirments for your “notepad” need to be fleshed out some more. Especially as some impact possibly negatively on the others.

So to go through things a bit,

    1) the ability to record information and retrieve it later from a different device

This is actually a minimum of two requirments, of 1.A Storage and 1.B Communications.

There are various ways you can do this depending on if you want a single storage device that can be communicated with remotely, thus need online access when in use. Or distribution of an archive and updates, that will alow off line working up to a point where re-syncing is required to keep all the archives in step.

There is a hidden gotcher in doing it the second way, in that you could edit from more than one device before the re-syncing is done. Which opens the door on which edit takes president and how you resolve two or more edits on the same locations in the various archives. This is not an easy problem to solve as has been found with distributed code repositories like The Revision Control System through to GIT etc.

    2) the assurance that no one else can access the information

Likewise you need to decide how you are going to do this for both storage and communications. One way which has a whole mountain of problems to deal with is by using Encryption. However the reality of encryption is it only protects data at rest and data being communicated. It does not protect data which is being processed or made available for access to be processed. Further when the data is in Core RAM being processed most likely it will be unencrypted in whole or part, which means other processes can get at it. But also when being processed it can be copied in part or in whole to non-encrypted storage when the process gets swapped or paged out of core RAM by the OS. Whilst there are ways to lock the Core RAM they are by nomeans universal and are certainly not secure against attacks from below the CPU ISA level in the stack. Whilst you can keep the data encrypted in Core RAM in the process space it needs to be built into any application that accesse the data to process it. However there is one place you can not encrypt the data which is in the I/O space. Which includes not just the cin/cout buffers but also the OS buffers for input and output which in most modern systems includes fairly large output screen buffers as well as the input “line discipline” buffer.

    3) the assurance that access to the raw information does not imply understanding (encryption)

I’m not entirely certain what you mean by this as there are a number of possabilities, perhaps you can rethink / rephrase it.

    4) the assurance that the information is not corrupted

Again this can mean many things, but it almost certainly will have an impact not just on communications where it will be minimal but also processing and storage where the impact will be significant. The impact will be similar to thinking about what gets put where and how in longterm storage but also in Core RAM.

I hope that gives you an idea about the things you need to not just consider but flesh out in your specification.

Faustus October 27, 2018 10:27 AM

Ebola: Another problem the blockchain doesn’t fix!

What Clive says about the difficulty of tying computer identifiers to physical objects is true, but this has nothing in particular to do with the blockchain. It applies to any computer system. As far as ledgers being somehow a bad thing, he left that unexplained. The Chartered Accountant who taught me accounting seemed to like them, and I think dual entry accounting is a beautiful thing. Conceptually ledgers are simply databases with a dual entry protocol. Any problem with them that I can imagine solely arises from how people choose to use ledgers, not the ledgers themselves.

College rape crisis: Another problem the blockchain doesn’t fix!

What a blockchain provides is an organized system for sharing data and making it extremely hard to change or add forged information. It is relatively simple so it is easier to assess than more complex databases. If we could have the same confidence in MariaDB (an SQL database) or MongoDb (big data) they could serve as well. But these are much bigger systems that are focused on the opposite: Allowing data to be changed.

People I disagree with: Another problem the blockchain doesn’t fix!

Clive asks who will host blockchains: Not surprisingly, it will be the people who have a stake in their success.

Hygiene habits that offend my tender sensibilities: Another thing the blockchain won’t fix!

The main aspect of blockchains that particularly excites me is transparency: Allowing anyone access to confirmably unforged data so they can write their own (hopefully open source) apps to analyze the data themselves and form their own conclusions. This is why I like them for voting and government records. This would enable a new era of government and corporate accountability. Transparency is an optional aspect of blockchains, but they don’t excite me much without it.

Consulting companies jumping on the newest buzzword: Another thing blockchains won’t fix!

When I was in consulting I always asked to be assigned to solve problems that people doubted could be solved. The pride people take in saying that they can’t do something with a general purpose tool like the blockchain is a whole different ethos than mine. It is like MacGuyver listing the things he can’t do with a swiss army knife. You have convinced me that YOU can’t do much with a blockchain, but I have heard no strong arguments that I can’t.

Faustus October 27, 2018 11:03 AM


I agree that Amazon has some disturbing practices. Mechanical Turk is pretty much an online sweatshop for example. I wouldn’t want to work for them, even as a programmer. I don’t want to be a cog in their wheel.


As a customer who travels around the world I find them invaluable. Since VPNs are a tool for people that are trying to commit fraud, Amazon limits what you can do over a connection that THEY CAN DETECT is a VPN. This is not a real limitation if you are network savvy.

I like Amazon’s whole line of media. I use a Fire and yes it is spying on me. I simply take that into account. I generally am not reading The Anarchist Cookbook 24/7. Who cares if they know that I read about computers and math and physics and techno thrillers? Amazon is one site where I appreciate their analysis and targeted ads because they are often good recommendations out of their massive catalog.

I do not follow your argument about DNS. (Google) has never blocked anything I was trying to get to. The DNS on local ISPs is often very limited.

I am very happy with how Amazon treats the reviews I’ve written. I’ve written contentious reviews without getting nitpicked which is 100x more than I can say about boing boing, which really seems to be the opposite of its freedom fighting/anticorporate facade.

In general, I think the louder a site broadcasts its purity, the more likely it is to be a scam. makes limited claims and I haven’t been disappointed. Amazon is an unabashedly commercial enterprise in its communications and its reality.

I’ve also sold books on Amazon out of my extensive at the time physical library. Their problem resolution definitely was to the advantage of my customers, rather than me, but there were clear guidelines to sellers allowing us to protect ourselves, and in some cases Amazon took the loss to satisfy both parties.

Faustus October 27, 2018 11:32 AM


I appreciate your openness to dialog and the internal logic of your posts. I am likewise amazed at your intense interest in nakedcapitalism.

Googling it it seems to have a somewhat distinguished history up to 5 or 6 years ago.

It also reveals that it is owned by a main-line financial firm. Capitalists selling anticapitalism?

The article on Amazon you point to, although I don’t doubt the general surveillance that we are living under, is light on details and heavy on innuendo.

To take a page out of nakedcapitalism’s book: Are the owners of NC light on ownership of Amazon and heavy on Apple? Can financial firms make money undercutting trust in the financial system? How does Russia fit into this?

Faustus October 27, 2018 1:14 PM

@Vas Pop

One interesting aspect of security in an insecure world is a supposedly academic website demanding your tracking information before letting you read a paper that probably cites such tracking as part of our insecure world.

Perhaps I am arbitrary, but I prefer wolves in wolves clothing to the other option.

Such systems will never get me to care a whit about their “intellectual property” concerns.

Clive Robinson October 27, 2018 3:13 PM

Systemd remotely exploitable

I guess nobody should realy be surprised but “systemd” that all the big Linux distros jumped into using with unseemly haste has as part of it a remotely exploitable vulnerability via the IPv6 DHCP client…

However again unsuprisingly people are trying a game of “Pin the blaim on the donkeys ass” and many have blaimed the fact it was “hand written” without thinking how ludicrous that actually sounds…

However the article below hit’s the problem on the head with,

    The problem is that it was written from scratch without taking advantage of the lessons of the past. It makes the same mistakes all over again.

The “lessons of the past” is a point I keep making about ICTSec. That is we as an industry have a nasty habit of forgetting hard won lessons from even our recent past, even though it’s well within living memory.

The big question is of course “Why?” with the secondary question of “And how do we stop it?”.

Whilst Robert Graham the writter of the article gives specific remedies for the bugs in the DHCPv6 client code and their type, he does not really touch on the “Why?” question.

I’m not blaiming him, because that was not the intent of his blog post. Further many would say it is an almost philosophical question, that kind of needs it’s own conversation. But it is one we realy should be having.

Clive Robinson October 27, 2018 3:53 PM

@ Bruce, and the usual suspects,

This paper may be of interest,

It talks about setting up a “periodic table” of data structures for various reasons.

One of which is to identify where data structures are missing, but in the process enable reasoning about known and unknown data structures.

Whilst security is not mentioned it is somewhat easy[1] to see how it would fit in with data structure properties such that it to could be reasoned about in the same way, thus aid in the development of more secure designs for systems.

[1] It has the potential for a Doctoral thesis, that could be considered somewhat more fundemental than most.

VRK October 27, 2018 4:13 PM

@ Clive Robinson

I shall now duck under cover

ach man. please, dinnae do that; youv’e yer finger in a dike.

I appreciate you sharing the thought about endpoints. I wish writers of Signal (etc) would address this. My mind-to-mind solution is years away at this rate. 🙂

…encryption … does not protect data which is being processed or made available for access to be processed

Clive Robinson October 27, 2018 4:40 PM

@ All,

Linux Journal has a “something for the weekend” list of articles on privacy,

Have a brows through there is likely to be something of interest.

Oh and for those with an interest in “The thinking of Linus Torvalds” this is actually of broad interest to developers in many areas as it talks about the dread “I-word” of Internationalization and why it’s not in the Linux Kernel or likely to be any time before those in hell need a jumper,

Faustus October 27, 2018 5:09 PM


That is a very interesting paper on data structures. It is fodder for a lot of questions like:

— What is missing from their taxonomy?
— Why does this seem overly reductive to me? Perhaps simply prejudice on my part.

I have written a general evolutionary solver. You can plug in all sorts of contexts, but currently I have it writing procedural computer programs because I think this is a particularly hard context as there are not a lot of continuous paths towards improvement in this paradigm. (A program that is a little wrong usually gives a very wrong answer)

It handles arbitrary data types but I have, clearly short sightedly, focused on evolving process rather than representation. The perspective of this paper is a gold mine for me. I am now particularly interested in evolving novel data structures.

Clive Robinson October 27, 2018 5:17 PM

OpenBSD 6.4 localhost root hole

As noted by Theo this “is the first localhost root hole in quite a long time” and it could so easily have been avoided. Which is why the story so far about how X-Hole got into 6.4 makes painfull reading,

@ ALL,

We are starting to see more and more this year cases of various development teams not getting told about Security Issues when they realy should be. Various excuses are given by those who are responsible for informing teams as to why some teams get told and others don’t. I’ve yet to see one excuse that is valid in the general security context.

It’s past time that there should be a significant conversation about the real reasons and how they can be mitigated. Because at the end of the day, as the old saying about a single rotten apple in a barrel indicates, user security and privacy rests on all systems on networks being secure not just a “favourd few”.

Clive Robinson October 27, 2018 5:47 PM

@ VRK,

ach man. please, dinnae do that; youv’e yer finger in a dike.

Hmm that is definitely a “context sensitive” statment 😉

With regards

I appreciate you sharing the thought about endpoints.

Thanks, I just wish I could get more people to take it onboard and atleast think and talk about it. Because although it’s “an obvious problem” when it’s pointed out it’s not getting attention with the “Smart device” hardware developers, OS developers, or application developers. And untill they do take it onboard user security thus their privacy is in effect “totally open” to a whole multitude of attackers.

As for,

My mind-to-mind solution is years away at this rate. 🙂

Can I offer a few wise words of council from the late Sir Terry Pratchett,

    The trouble with an open mind, of course, is that people will insist on coming along and trying to put things in it.

He might have been thinking in a different context 😉 But that’s the thing about “wise words” they have a habit of being general not specific in scope 0:)

k15 October 27, 2018 5:56 PM

Remind me why it is that financial institutions’ UI developers are unfamiliar with the concept of read-only permissions?

Timothy October 27, 2018 5:58 PM

On October 3, 2018, the U.S. Customs and Border Protection’s (CBP) emerging technology working group presented an update on their proof-of-concept deployment of blockchain to solve a global supply chain case-of-interest.

The prioritized use-case centers on CBP’s ability to determine if an item qualifies for a free trade import tax exemption based on the necessary percentage of an item’s components being produced/assembled in a FTA country.

For this first Customs-use case, DHS is working with a Virginia company to test product eligibility for two Free Trade Agreements: the North American Free Trade Agreement (NAFTA) and the Central America Free Trade Agreement (CAFTA).

According to a member of the emerging technology working group at CBP’s COAC public quarterly meeting in October, tests have been completed for the NAFTA and CAFTA verifications, and they expect to have recommendations to present at the December meeting.

DHS’s Cybersecurity S&T Division Director Dr. Douglas Maughan also reviewed the NAFTA/CAFTA blockchain project in his testimony to Congress in May. Dr. Maughan further outlined the steps that DHS S&T would be taking to continue to develop blockchain technology, those being (and he gives resource links in his testimony):

1. Support development of globally available specifications (precursor to standards) that are open, royalty free, and free to implement to ensure interoperability across systems while ensuring there is no vendor lock-in.

a. Decentralized Identifiers (DIDs) via World Wide Web Consortium (W3C) Standardization Process

b. Verifiable Claims Data Model via W3C Standardization Process

c. Decentralized Key Management System via TBD (Potentially OASIS)

2. Actively work with and support our DHS Component customers, such as CBP, to understand their potential use cases for blockchain and help them achieve their outcomes with the needed R&D expertise and technologies.

k15 October 27, 2018 5:58 PM

Has anyone else noticed that you never have to jump through the ReCaptcha hoops, that merely checking the “I’m a human” box is now sufficient?

Faustus October 27, 2018 6:25 PM


Thanks for posting this. Really nicely laid out.

I’d love to crow that this supports my point that blockchains have potential, but reading it in detail, and being used to writing these kinds of documents for engagements, to me these documents largely translate to: “We are thinking really hard, but we haven’t gotten far yet.”

I particularly like this tidbit:

“The lack of best practices and implementation design patterns leads to knowledge and action asymmetries.”

Which either means “we know a lot but aren’t doing much” or “we don’t know much but we are doing a lot”. If I have to choose from these not so tempting options, “I’ll take a number one with a side of consulting fees, please.”

But this really is the way it works. I was involved in creating tons of documents/presentations like this (not to mention programs) while never reaching critical mass trying to launch “The Semantic Web”. TA DA!! TA DA!! ta da… oh, well

Perhaps the blockchain is a technological dead-end, or not, but for me it’s cool to watch people try.

Clive Robinson October 27, 2018 6:52 PM

@ Anders,

There is a bit of a problem with the idea of sanctions against Russian individuals. As the NYTimes indicates,

    The new American campaign, according to these officials, is aimed at both oligarch-funded hacking groups and Russian intelligence operatives who are part of Moscow’s disinformation campaign.

In the UK investigations into the voting attacks by Facebook and Cambridge Analytica started to show that money and resources were actually comming from various Hedge Fund and Silicon Valley billionaires in the US, and were using various “cut outs” including Russian ones to try to hide the source of the funding etc.

Of interest, is when this started to become clear the investigations were either stopped or redirected away. What is not clear is who gave the orders and why.

Likewise the UK investigations into the Salisbury Novichok poisonings appears to have gone very quiet as various sailient questions went unanswered that had thrown doubt on the “Official Story”.

None of which bodes well when the US insists on escalating against others for things it has repeatedly done to others and continues to do so. This can only happen because of a particular imbalance in the US favour. What people are not realy considering is what will happen if Russia or those in Russia decide to escalate in a way that Russia has the advantage in?

As has been noted in the past the outcome of pissing contests is usually quite messy.

For instance the current US administration apparently out of a fit of peek at the International Court of Justice has indicated it is going to pull out of a treaty that protects foreign nationals. If they do it changes the dynamic with regards “those under diplomatic cover” essentially it would alow other nations to treat US personnel in their nation in a different way, upto and including the fullest punishment in that nations civil or criminal legislation which would include the death penalty…

Nations that sign up to such treaties usually do so out of “self interest” thus arbitrarily leaving is the equivalent of committing “self harm”. Something the US apparently wants to do a lot of currently,

Timothy October 27, 2018 9:43 PM


Perhaps the blockchain is a technological dead-end, or not, but for me it’s cool to watch people try.

Oh, yes, my friend. As if it were the giant computer they later wished into a handheld calculator, it seems they are intent to make something good of it…

And if this is any kind of harbinger of developmental expectations, the Senate Energy Committee invited the famed co-inventor of the TCP/IP protocol Dr. Robert Kahn along with four other distinguished witnesses to testify on the blockchain this last August.

I have only just listened to the 5-minute opening statements from each of the witnesses, but my vast ignorance makes those hearings such prime watering holes that I can hardly resist. And I think that means that I fall into the second category… ‘Which either means “we know a lot but aren’t doing much” or “we don’t know much but we are doing a lot”

Well, I hope you stick with creating your documents/presentations and programs for that elusive Semantic Web, even if it means all the growing pains were a future TA DA you couldn’t have even imagined 🙂

Clive Robinson October 27, 2018 9:55 PM

@ Bruce, and the usual suspects,

There are only so many papers I can read, digest and think about in a day, and I appear to be a bit slow today 🙁

However of those I’ve read, this is the last but I’ve not quite finished it yet. But it looks suitable to be of interest to some readers of this blog.

As some of you will know I’ve played around with alternative computing structures one of which is a massively parallel collection of simple CPUS with limited memory each performing a small task that has a clearly designed signiture that could be used to significantly enhance security.

As I indicated at the time each computing cell or “Prison” had a very lightweight OS front end that used a simple series of data channels via hardware letter box streams to various other parts of the system to provide the rest of the OS functionality. That is IO cells would have a simillar simple interface but would have the actuall driver code for the device it was attached to.

As I’ve frequently pointed out the future of Moore’s law was decidedly flat and some are saying it will now take atleast another decade to double persormance on a single sequential CPU core. Which is why I’ve maintained the view that “The future is massively parallel at all levels and distances”.

Well I’m not the only one of this view and this paper about LegoOS is for almost exactly the same idea,

echo October 27, 2018 11:04 PM


Oh and for those with an interest in “The thinking of Linus Torvalds” this is actually of broad interest to developers in many areas as it talks about the dread “I-word” of Internationalization and why it’s not in the Linux Kernel or likely to be any time before those in hell need a jumper,

I don’t perceive Linus making a technical argument to support his case. The alternate works. It removes hardcoded variables and provides a gracefull error and extended error system. If Linus admitted this and was honest instead of throwing a temper tantrum I would be more persuded he had “reformed” as he claimed.

Neuroscientists Find That It’s Easier to Be a Pessimist. The brain is quicker to judge something as negative, because it’s easier than reframing to positive thinking.

Perhaps Linus mode of reasoning is because his brain is overtaxed?

RG-1 October 28, 2018 12:22 AM

@Faustus wrote:
‘I like Amazon’s whole line of media. I use a Fire and yes it is spying on me…’

Rather than responding directly to your typical American (I don’t care) point of view I’d rather use an example from the today’s NYT:

How Destructive is Silicon Valley Technology? (file under crazy but true)
Consider the Nanny’s employed in Big-Data Silicon Valley, the eye-opening contracts they now must sign, the constant spying and social media shaming they endure.
Even though 60-80% of Silicon Valley engineers are not American citizens, they largely run (and censor) American society and many public institutions like schools and libraries.
Reading the article THEY know about the dangers of addicting, eavesdropping and targeted saturation advertising screens:

Security from Big-Data or People Popping Like Corks (PPLC)
Do you understand their paranoia/fear over the products they themselves develop? What’s that word…
I personally could not live designing products to harm future generations. Or social media addicted adults having breakdowns and going on violent rampages. The rulers of Silicon Valley understand these weapons and smartly shield their families. In the crazy NYT article they call smart-phones the work of the Devil[1] – and they aren’t even religious!

Amazon used to let people read knowledgeable reviews and then make and informed choice of which product to purchase. Fast, efficient and confidential.
I define advertising as hoodwinking the consumer into purchasing a product they would not otherwise consider. For myself its a waste of time. Manufactures must now pay for top product placement which customers must endure (as ad-blockers don’t work well here).
The Amazon search sorting is mediocre at best with much extraneous crap thrown in.
How do you search for great-value Add-on items? (you can’t). Just like social media, they want you to keep on scrolling forever and never put the damn screen down.

As the pressure builds to monetize logged-in searches, Amazon is more invasive than Google searches. In both cases you are being tracked and monetized. Unlike Google however, Amazon has your prized (formerly confidential) purchase history to sell. Little wonder advertisers are salivating over this wet-dream opportunity.
However intelligent consumers, Wall St (and now Silicon Valley) realize this to be a dangerous, greed-infested turn into a rabbit hole. Is increased intelligence less intolerant of advertising or countless fake five-star reviews?

While it took main-street America 20 years to catch-on to the data-mining schemes of Silicon Valley, this Amazon advertising explosion substantially degrades the shopping experience. Is it an opportunity for new competition?

Once GDPR laws will take effect, Amazon will not be able to arrogantly monetize MY purchase history, because after 30 days it will be deleted.

Amazon used to treat customers fairly. With this serious break in trust, they are no better than Google or Facebook. Do evil, cover-up and lie constantly. Faustus do you ‘trust’ advertising?

Looking back Amazon shopping was enjoyable while it lasted. Like the stock market, get ready for the ride down!

[1] Notably France bans smart-phones in schools. In America the more wealthy the schools the less dependent teachers are on screens.

RealFakeNews October 28, 2018 2:00 AM

@Clive Robinson:

As I see it, “blockchain” are just a bunch of linked digital signatures. Proponents act as if they just invented something.

RealFakeNews October 28, 2018 2:25 AM



Yes, and I’m still wondering why. Have they been analyzing my mouse motions sufficiently long enough, they know I’m human from that metric alone?

Faustus October 28, 2018 2:33 AM


I’m not trying to troll you, RG-1. It’s frustrating, but there is only so long I can battle the tides. The kindle reports how long it takes to read each page on the kindle back to HQ. I cover the camera in thick tape and never install/enable Alexa. But everything done on it is completely monetized. I suspect that low cost offerings like unlimited music are principally funded by the consumer data gathered. I don’t like to place myself, but I will admit: I even once had an anti-Amazon website up.

But the fact is that the access to digital media has now become essential to me. I am not going to starve myself of the information I need because Amazon does pretty much what everybody does. It is the only site that actually turns my history into decent recommendations too. And, I use AWS. I used to spin up 40 processor machines for my AI systems until this new generation of super-multicore chips enabled me to have faster and cheaper machines built.

The travails of Silicon valley nannies seem the stuff of a reality show. But there is truly little more disturbing than seeing a tyke mind-melded to some idiotic device.

I don’t use social media. I don’t use IoT devices. My cellphone has virtually no apps.
But I do use Amazon because I need what they have.

I think of how the late comedian Bill Hicks use to put on an insincere frown, drop his shoulders, turn his hands out and say “Sorry!” with a sheepish grin.

Faustus October 28, 2018 2:41 AM


Hehehe. You live up to your name.

The blockchain is just linked digital signatures. And your cell phone is just a mirror with a keyboard on it. And books are great for propping up furniture.

echo October 28, 2018 6:50 AM

Police officer filmed himself mocking a mentally ill woman and sent it to friends on Snapchat. West Midlands Police sacked PC Neil Tong following a misconduct hearing.


IOPC West Midlands regional Derrick Campbell said: “Police officers are trusted to uphold professional standards of behaviour, especially when they come into contact with people who are deemed vulnerable.

“The degrading manner in which PC Tong mocked and otherwise treated the woman concerned was disgraceful and a clear abuse of his position of trust … instant dismissal was the only option in these circumstances.”

This cop was low hanging fruit. The police refuse to prosecute UK state sector managers and other staff who routinely defraud mentally ill and disabled people of their entitlements, nor prosecute corporate manslaughter for instititional discrimination which leads to a horrifying number of avoidable deaths.

echo October 28, 2018 7:02 AM

Search engine for CCTV lets you find people from their description

Finding someone in a surveillance video could soon be as easy as Googling them. Descriptions of people of interest, such as a suspect or a missing person, are normally given in terms of their height, gender or clothing. But using this information to find a short woman wearing a red jacket in a video, say, often requires scanning hours of footage manually, which is no easy task. But a new search tool can do it automatically.

What took so long? I geuss this had to happen as face and object recognition improved. It’s interesting noting how fine grained the search variables are.

echo October 28, 2018 8:21 AM

Researchers developed a mathematical model describing motion of dark matter particles inside the smallest galaxy halos. They observed that over time, dark matter may form spherical droplets of quantum condensate. Previously, this was considered impossible, as fluctuations of the gravity field produced by dark matter particles were ignored. The study is published in Physical Review Letters.

How a dark star – made of mysterious dark matter – could lead to shadow life. THERE’s a mysterious dark force in our universe. We can’t see it. We don’t know what it is. But some believe it could have its own cold stars — and shadow life.

This is only a theoretical security threat. The wild speculation is dark matter could be a “shadow universe”. This should keep paranoids busy.

RG-1 October 28, 2018 9:34 AM

For those who don’t see the need to protect our children, here is the creepy, scary pit where society is rapidly descending into. Amazon is leading edge in fuzing AI with external big-data for targeted advertising [1]:

Reputational Exploitation – Ripe for America
‘So, what will we see next in the social media universe? Thus far, we’ve witnessed four major waves of offensive content that have tracked the darkest tendencies in humanity—content that has exploited people (sex), spread vitriol (hate), encouraged ghastly attacks (violence) and duped electorates (power). Going forward, we fear a new kind of trend will emerge: “reputational exploitation,” feeding off the human tendency to maximize self-interest while paying no heed to the rest of society—namely, through falsely disparagement of others (on social media) for one’s own benefit.

Reputational exploitation will emerge and challenge our democratic institutions and fair markets because the world of content creation and distribution is fast-evolving but minimally monitored or regulated. We are at a stage when artificial intelligence will increasingly be used to create advertisements and content (read Amazon monetizing customer purchase and browsing history) largely because it will be simpler and cheaper for machines instead of humans to manage the entire mechanical value chain behind content creation of digital advertisements as well as unpaid content.’

Only the wealthy will still enjoy human interaction and not be subject to censorship. The surfs will remain as children where privileges must be earned[1]. Can someone post the Amazon smelling salts link?

[1] The real prize is control of the segmented Internets. China reeducates Eastern Civilization and American big-data reigns over Western Civilization

Tatütata October 28, 2018 12:02 PM

Nations that sign up to such treaties usually do so out of “self interest” thus arbitrarily leaving is the equivalent of committing “self harm”. Something the US apparently wants to do a lot of currently, …

I was dumbstruck when I read this week that the US is slamming the door the Universal Postal Union on some flimsy excuse and without any prior warning. What? What? The UPU?!?!? There are 190 other parties to that treaty besides the PRC and the US, dammit!

How many more institutions will be wrecked before [666] leaves office one way or the other? I place my bet on the World Meteorological Organization as the next victim. It comes with the much maligned UN, and it is somehow related to a hoax peddled by liberal f****ts. Those effete foreigners have been taking advantage of our Real American (TM) coal driven steampunk weather far too long, and they are laughing at us.

I had this cockamamie dream last night. I was ardently defending the idea of using lottery terminals as voting machines, arguing that they are naturally widely enough distributed to serve the entire population without a fuss, and that one had never heard of one being hacked. (OK, it was just a dream). When I woke up the idea of course made a lot less sense, but I decided I should make an effort to remember it. I guess that US media reports on voter suppression, voting machine problems, and 10-digit prizes, kind of collided in my associative neuronal pudding. Of course, in a lottery there is really only one winner, the croupier, so it hardly matters to him how the spare change is distributed, just as long as not too much of it leaves his gussets. Electronic lotteries also record the details of each and every individual wager, which is contrary to the secrecy of the vote. Yet, I might be onto something here. Terminal manufacturers and operators have experience in securely running a permanently operating a network with a very high maximum transaction rate, whereas voting machines make it out of their boxes 2-3 times a decade. (Considering that electronics are usually essentially obsolete while they’re still on the drawing board, the economic model of electronic voting doesn’t make that much sense). I imagine the scene at the corner newsagent: “A packet of paprika crisps, a Fisherman’s Friend, and one federal ballot. That’ll make €3,20 please”.

I nevertheless still favour pen-and-paper elections, and voter registration by door-to-door electoral census, when it still exists.

I pondered about how the straight-ticket model of voting where you decide that all posts from POTUS down to deputy assistant dog-catcher based on a brand rather than the individual is fundamentally different from proportional list voting. But I also detest Westminster style FPTP, winner takes all, voting, which isn’t immune to dirty tricks and gerrymandering. (It’s just called another name elsewhere).

Over the years I took increasing satisfaction that the fool against whose name I mark a cross wouldn’t make it to the cast of the great simian comedy, or at best would get a bit part as a loyal opposition gadfly, thereby minimizing my disappointment to a fairly constant value.

I sometimes toy with concepts involving the random selection of citizens to staff a parliament. But. I was summoned a few years ago to a jury selection, and I very much felt physically ill at the idea of sitting with a bunch of strangers assessing the ugly depths of humanity, while trying my best to be the most innocent, servile, plaything of prosecutors and defense attorneys, somehow deluding myself that my efforts meant something in the cosmic grand scheme of things. I was passed over, phew. Imagine a X-year mandate in parliament.

And now for something completely different.

It’s more original research than a news item, but it stems from a series of blog topics from 2017 relating to the quality and security of random number seed generation. Out of curiosity, as an end-user, I looked at the behaviour of /dev/random on four different devices, and discovered large differences.

From the English language Wiki:

In Ts’o’s implementation, the generator keeps an estimate of the number of bits of noise in the entropy pool. From this entropy pool random numbers are created. When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.[4]

I ran my tests in late 2017. The idea is simple: A program reads M sequences of N bytes from /dev/random, and labels each byte with a timestamp, with a pause between each run. The timestamps (relative to the start of the individual sequence) are plotted against the ordinate of the byte read.

I chose N=1000. M was 10 in all cases, but one, with M=5 (see below).

The OS and devices were:

1) ubuntu-derived linux running on a “bare metal” real machine (x86-64)
2) debian running in a VirtualBox VM under Windows (x86-64)
3) Raspbian on a Raspberry Pi3 (arm v8)
4) DD-WRT running on a Linksys router (Marvel Armada 395, arm v7)

The ubuntu results essentially correspond to what I imagined from the above description. Reading from /dev/random is very fast (the line doesn’t leave the X axis), until the entropy reserve is exhausted. A that point the read is blocking until there is enough new entropy available, and the device returns numbers in chunks of 6 bytes, which explains the staircase appearance of the line. The rate at which the entropy is generated depends on how busy the computer is (number of tasks running, UI interactions, disk access). On a “quiet” machine, 3.3s are needed to generate one byte of entropy.

The debian test also meets my expectation. The OS is bottled in a VM, with no other user task running, and more removed from I/O devices. With no other task running, from the yellowish sequence, about 25s of deep thought are required to obtain one byte of entropy. I interrupted the test after four runs).

The raspbian run is somewhat fishier. There is no mechanical hard disk connected, and no other user task running except my test program. After exhausting the ~400 byte entropy reserve, 500s are needed to obtain 600 bytes of entropy, or about 1.2s/byte. However, the terminal was idle and connected via SSH, there was no other network traffic, and no other plausible sources of entropy was available. How can it be faster than the ubuntu machine first tested?

Worrying results were obtained on the DD-WRT router, which is based on some flavour of *nix. The test program was cross-compiled on the Pi. Here, only 30ms are needed to generate one byte of entropy, yet this is a bottled machine with no UI or hard disk or other peripherals. IIRC, the test was run with disconnected the network cables, and disabled RF interfaces, in case the network or the RF modem was somehow used to obtain entropy.

I have no idea how entropy is actually obtained on the various machines. I ran a few crude tests (e.g. plotting bits), but saw no obvious problem. The raspbian and especially DD-WRT, when compared to a full-fledged machine (ubuntu on a real PC, debian in a VM) would however deserve further scrutiny.

I would have liked to run the test on my stupid Android device (a private-label thing from a big Telco), but I haven’t yet managed to root it despite my best efforts, and I’m nowhere even near to mastering the “Hello, World.” bit. Windows apparently has nothing comparable to /dev/random, the WIN32 RNG API call is extremely fast, and entirely non-blocking, making it more akin to /dev/urandom. (This API call has since been superseded).

Tatütata October 28, 2018 12:28 PM

500s are needed to obtain 600 bytes of entropy, or about 1.2s/byte

Ooops, got my division backwards. Memo to self: give yourself a kick in the butt. That should be “830ms/byte”.

My penultimate link to the WIN API page is mangled, yet it seems OK in the source file.

Timothy October 28, 2018 1:03 PM

The Managing Director of the Web Energy Foundation, Ms. Claire Henly, gave a very articulate opening statement at the U.S. Senate Committee on Energy and Natural Resources’ hearing titled “Energy Efficiency of Blockchain and Similar Technologies” on August 21, 2018. You are free to listen to her 5-minute opening statement that starts around minute 42:30.

She emphasis three main points: 1) “The blockchain industry is moving away from energy intensive versions of the technology.” 2) “There are valuable potential applications of blockchain in the energy sector.” and 3) “There are still barriers to be overcome before blockchain can contribute to the energy sector at scale.”

Ms. Henly discusses why the blockchain versions behind the majority of cryptocurrencies such as Bitcoin are so energy intensive. [On the high-end of estimates, Bitcoin consumes nearly 32TWh of global energy production a year, on par with Denmark’s annual electricity use.] According to Ms. Henly, “Bitcoin’s electricity use is required by its security mechanism “Proof-of-Work” (PoW) in which block validators known as miners work expending computing power and electricity to add blocks to the bitcoin chain.” She highlights two alternatives to this validation model that have lighter energy footprints: Proof-of-Stake (PoS) and Proof-of-Authority (PoA). Her testimony explores those further.

The hearing witnesses and Senators further discuss this topic and other topics of interest related to blockchain. A concensus seems to be that blockchain is one of a potential array of tools whose strengths could be leveraged for certain projects. One of the projects they discuss is the use of blockchain to support a decentralized power market.

Exploring that more, here is a recent Web Energy Foundation tweet:

Energy Web @energywebx
“#Blockchain, the technology that underpins cryptocurrency transactions, is about to get tested in a trading system for matching #CleanEnergy buyers and sellers in the largest U.S. power market.” via Bloomberg @business “Biggest U.S. Power Market to Test Blockchain to Trade Renewables

In Web Energy Foundation’s September newsletter there is a discussion paper from the Council on Foreign Relations titled “Applying Blockchain Technology to Electric Power Systems.” An interesting part of the paper on cursory review was Table A1 “Start-Up Companies and Initiatives Utilizing Blockchain in the Energy Sector” as there were 5 pages of global startups documented in the space.

I suppose all of this is to say that a lot of R&D spend and attention are being applied to blockchain technologies and their long-term and future applications potential, much as @Thoth mentioned before.

Faustus October 28, 2018 1:04 PM

@C U Anon

This seems like a relatively accurate description of cryptocurrency issues, wrapped in the usual LOOK AT ME, LOOK AT ME (The Russians might assassinate me!) silliness that seems necessary in our faded academia that gets more funds from gofundme than their university.

I wish I just had the deck because I could consume the actual information in the presentation in two minutes. As it was I just looked for highlights.

Some of the gloss has been demonstrated not to be true. It ignores the fact that bitcoin has successfully run for a decade. The blockchain works, is secure, and to my knowledge does not have a better competing technology to replace it if you wish to have tracking resistant, censorship resistant currency that can travel by wire.

I think the observation that such a currency mainly benefits those who do not want the government to control their money is accurate. I would also add that it benefited early adopters in its rapid price increase. That such people are criminals, or at least any more criminals than the rest of us are, is something that people like to believe, but I don’t personally. I see a lot of agitated nerdy loners in the field, not master criminals. I believe cryptocurrencies give the common person some of the advantages that are clearly being enjoyed by large corporations and the rich, and nothing more.

I don’t want the government to control my money. Sue me. I don’t need to avoid taxes because the US tax code has been rigged so that people like me don’t have to pay any taxes. (Look at the President’s son-in-law to get some idea how it works.) But I would prefer not to be under the complete control of the crazies of the left or right who are both planning their own authoritarian societies. Sorry.

In the end there are two ways to live: Build things, or be a parasite on people who do. I prefer to build things myself. I don’t have that much time to tut tut other people, and I do not have to fashion my views to get people to buy my books, employ me, or gofundme.

If you feel competent, you want freedom. Why would you not? Trying to control other people is weakness or psychopathy. I have handled what I have come up against despite government, not through it. I am happy to see people with limited means get help with healthcare and housing and especially opportunity. I am not happy to see tanks and special forces operating in our city streets.

Although baseline government is fine by me, the increase in governance in the last 20 years offers me nothing additional except greater risk to my freedom. And if I weren’t such an obviously empowered WASP there would also be the additional risk to my life by our burgeoning internal and external security forces who seem less and less connected to our citizenship as a whole.

I know a lot of readers agree with my feelings towards the security state. But still so many are co-opted to fight freedom focused technologies.

I venture a fair use quote of the kind that the EU is striving mightily to censor at this moment while many are whining about the relatively insignificant blockchain:

M. Teste was perhaps forty years old. His speech was extraordinarily rapid, and his voice quiet. Everything about him was fading, his eyes, his hands. His shoulders, however, were military, and his step had a regularity that was amazing. When he spoke he never raised an arm or
a finger: He had killed his puppet.

-Paul Valery

Faustus October 28, 2018 1:35 PM


Nice dream! I think you are subconsciously understanding the electoral system at a deeper level!

Nice research on entropy pools too! Thanks for sharing it. I wonder if haveged is enabled on any of the systems. It is designed to populate entropy pools solely based on random differences in the timing of deterministic programs, based on the complex way CPUs now evaluate, cache, and predictively evaluate code.

It would seem to be a good thing to enable on systems that don’t expect keyboard/mouse input. I use it for my nondeterministic genetic solution system, which, quite interestingly, does not have results on windows anywhere near the quality of its linux results. I can only think to blame the entropy source.

Faustus October 28, 2018 2:16 PM

@C U Anon

I’m not sure how somebody’s (your?) negative review of Monsieur Teste impacts on my discussion of blockchain. That the word “bullsh*t” figures prominently?

May I call you kaelan?

Don’t you see how this kind of argument undercuts you? If the best you can do is call BS, well, then you have effectively conceded, no?

You observe in your review that it is is premature to call BS if you don’t understand something, and then proceed to explain how you don’t understand Monsieur Teste, so I don’t really need to consider your assessment, by your own standards. Non?

Teste is a work that has spoken to a lot of people. He is basically an anti-hero, an intellect divorced from fellow feeling, a type of autistic (using that word loosely. I don’t know enough to use it precisely. Apologies to anyone on the spectrum who knows better than I. Explanations welcome.)

He is both a superman and an idiot. I have to admit I feel some kinship.

Rather than analyzing the semantics you may be better guided in your impression of M. Teste by what runs through your mind as you read it. Disliking it is a totally valid response, and perhaps one that would be considered more “mentally healthy”!

Genie October 28, 2018 4:30 PM

What’s with IBM’s takeover of Red Hat and Microsoft’s simultaneous takeover of GitHub?

It sounds like a corporate-fascist cyber-takeover of the world, going back to the Groklaw saga of SCO and the Halloween documents.

Scary, but real. It’s Halloween, but not a joke. We need more information.

Faustus October 28, 2018 6:12 PM


Scary. The man in black displays the blade.

Of course, in a very loose sense this blog is already hosted by IBM.

The tumbrel may have been rolling for a while.

Clive Robinson October 28, 2018 6:31 PM

@ Faustus, Tatütata,


blockquote>I wonder if haveged is enabled on any of the systems. It is designed to populate entropy pools solely based on random differences in the timing of deterministic programs, based on the complex way CPUs now evaluate, cache, and predictively evaluate code.

The last time I looked “haveged” was included in Ubuntu.

You may or may not know “haveged” is based on “havege” from a decade earlier,

I was asked to look into “havege” some years ago and I was not very impressed with it. It made some big claims but they were not realy backed by anything you could grasp and analyze. The claimed it met Diehard tests etc, but then any half way functioning fully determanistic PRNG can pass those tests. If you look at the design of havege you can see ways you can write statistical tests that would be way more sensitive to testing for entropy.

I guess the question at the time was “Chaotic or Random?” and it looked way more “chaotic” than “random”. However the real question should have been “Is chaotic sufficient?” the answer to which we now know is “a qialified yes” for most applications.

However you have to be careful when using many systems…

For instance lets take two very high precession oscillators running at very high frequencies. You feed one into the clock input of a D-Type latch and the other into the data input of the latch. Providing the two frequencies are different, if you look at the output on an oscilloscope it looks very random. The reality is it’s not, infact it’s nothing like random at all, put the output into either a digital (counter) or analog (low pass filter) integrator and you get a very nice sinewave out…

If you some how frequency modulate one of the oscillators fractionally you end up with a sinewave with “jitter” that looks like noise, which is actually a product of the frequency modulation. Depending on your modulating signal some small part of it will be “noise” part of which will be from the power supply etc and some small fractional part from thermal noise in resistance. Thus the only true random signal is the fractional part from the thermal noise.

Can you extract it from the rest? No, does it matter? Probably not.

The reason is even for use in cryptography you are not realy looking for “Random” just “Unpredictability” which is why sometimes you are better off using a CS-PRNG than you are a TRNG.

The use of the D-Type latch and two oscilators is known as the “Wagonwheel effect” from films where the spokes on the wagon wheel get “sampled” by the film “frame gate”. It is also called the stroboscopic effect that can be used to very accurately synchronize timing, you can actually use the D-Type as a phase detector / mixer in a PLL circuit.

In effect what havege and I assume haveged to do is try to use the process in reverse which is to recover othe modulating signal. What they actually do is “spread” the random and chaotic signals across the Linear Feedback Shift Register (LFSR) PRNG. Which makes “predictability” difficult, but it’s not realy random, because it’s mostly chaotic.

Back last century I designed TRNG’s that worked in a very similar way I’ve mentioned it here a couple of times in the past. I used a “thermal noise source” to frequency modulate one of the two oscilators that fed a slightly more complicated sampling arangment than just a D-Type latch[1]. The output drove an interupt input to a PIC microcontroler that was running as fast as it could either a Mitchel-Moore PRNG or extended ARC4 CS-PRNG that was acting as a “self stiring” entropy pool. Another Interupt from the RX line of a serial port drove a “bit banging” RS232 interface that would output bytes of data from the PRNG. The side effect of the bit banging input was it added a little more unpredictability to the state in the entropy pool.

It’s this same “unpredictability” technique that havage tried to duplicate, but used a very bad shift register PRNG to do a decade after I had moved on to better techniques…

[1] I used two D-types in series to make a two bit shift register the ouputs of which fed into an exclusive or gate. The result is a combined sampler and von Neuman de-bias circuit.

Tatütata October 28, 2018 9:03 PM

Clive, Faustus,

I wasn’t aware of the existence of “haveged” until today. It was not installed on neither the Ubuntu nor Raspbian machines, but it took about a minute to remedy that.

From the man page:

haveged generates an unpredictable stream of random numbers harvested from the indirect effects of hardware events on hidden processor state (caches, branch predictors, memory translation tables, etc) using the HAVEGE (HArdware Volatile Entropy Gathering and Expansion) algorithm. The algorithm operates in user space, no special privilege is required for file system access to the output stream.

I find it slightly problematic that this program appears to rely on exactly the facilities that made Spectre and Meltdown possible… Wouldn’t the Intel microcode workarounds eventually affect it? Furthermore, if the machine is mostly idle, like during my test, I wouldn’t expect a lot of page faults to occur.

I launched a test run on both the Pi and the Ubuntu machines with haveged enabled, I’ll check them back later today.

Thoth October 28, 2018 10:01 PM

@Nick P, all

ARM TrustZone is now included into ordinary ARM Cortex M chipset. I guess now I have to not only place A series but M series ARM chips as possible chips to guard against.

Latest variant at the ARM Cortex M33, M23 and M35P in the M family that have ARM TZ embedded into it.

STMicro have began offering the M chipsets with TZ architecture into it’s STM32L series with the M33 variant of the M family inside as shown in the STM32 catalogue below.

@Nick P, if you still remember we discussed about the USB based pocket HSM using STM32 chips and how I criticized that the use of STM32 chip without the option to extend to a secure element via a SIM card would make it vulnerable to quite a number of physical attacks like flashing the bootloader and image and so on onto the chip or copy contends off chip.

Now there is a ARM TZ variant which is effectively a double-edged sword. On one hand you have a little more increased in security but on the other hand all my criticism of ARM TZ comes in. Also, you need to sign an NDA with ARM/Softbank to gain access to develop the ARM Trustlet for the TZ partition.

Probably not as open source as one might intend it to be if gone down that road of using ‘Open Source friendly’ STM32L5 but then …. the TZ trustlet app most likely would have to be locked behind NDAs and closed off if they are using proprietary functions. Another option is to use GlobalPlatform TEE Secure Enclave standardized APIs only to allow it to be somewhat more open.


Thoth October 28, 2018 10:13 PM

@Nick P,

Also included in the link below is the data sheets for the STM32L5 series. Interestingly, STMicro claims to support external and internal tamper detection and reaction packages but did not go into detail on what kind of tamper alarms included.

I guess they are starting to armour up the STM32 family to thread between the line of an openly accessible electronics setup and something coming very close to a smart card chip by adding tamper handling mechanisms.

In the STM32L5 data sheet, it uses 32 x 32-bit backup registers rigged to tamper alarms which I suppose would zeroize the registers when tripped.

I would speculate the internal tamper protection region only covers the physical area of the tamper protection registers instead of the entire chip which as we can see from past history of de-capping chips, a partially tamper protected region is only going to yield not much effective protection because the CPU and ALU units are most likely unprotected and when the sensitive operations are loaded to CPU and ALU units and caches to process, you could still read out the data although they did ‘internal pull up’ alarms which I suppose are used to detect line glitching attacks and attempted read outs but I wonder if the tamper protection extend far enough to be effective.

It is a nice try trying to push smart card security onto conventional off-the-shelf general purpose chips but still not good enough and the TZ is really a pain in the sides since it opens up possible attack vectors via more efficient firmware based bubble up attacks via malicious TZ firmware images that might have some how slipped into production line via accidental or purposeful intend.


echo October 28, 2018 11:58 PM

It is hoped that MI5’s approach, techniques and greater powers will allow it to discover more about the violent intentions of the extreme right than the police can.

The changes will see MI5 formally take responsibility for identifying suspects and assessing what danger they pose, conducting network analysis and ranking threats.

Police have the executive lead , which means they will take over when the time comes to disrupt a plot and make arrests.

UK police are traditionally bad at complex issues and social issues and utterly resistant to change. UK police even where statutory obligations exist have zero interest in assessing discrimination data and identifying threats.

The use of mass, public communication, usually against a particular individual or group, which incites or inspires acts of terrorism which are statistically probable but happen seemingly at random.

Weall know about the low hanging fruit. What about the terrorism equivalent of white collar crime? When will politicians and others with a position of influence and power be held to account?

Clive Robinson October 29, 2018 4:06 AM

@ Thoth, Nick P (if you are still with us 😉

I guess they are starting to armour up the STM32 family to thread between the line of an openly accessible electronics setup and something coming very close to a smart card chip by adding tamper handling mechanisms.

But armour up for whom…

How long is it now tha ARM are were taken over by “Softbank” who also took over “” then sold off a big chunk of ARM (51%) at about 1/10th of it’s value to by owned by a Chinese holding company?

Note that atleast three of those investors are arms of Chinese state, which has rattled more than a few people,

But that’s all OK according to the UK’s ex-chancellor George “gidiot / White lines / China White” Osbourn. Who now acts as a not to competent editor of the UK Evening Standard who’s ownership is by a Russian Oligarch… Oh it’s rumourd that some of gidiot’s relatives are not unknown in Mossad and other Israeli Inteligence organisations. But more clear is his friend and then boss David Cameron PM was inordinately Pro-Israeli…

It’s a funny little world when you start digging.

echo October 29, 2018 7:54 AM

The UK’s rulebook for spies is “unfit for purpose” and risks repeating Britain’s “shameful” involvement in the torture and mistreatment of terror suspects following the 9/11 attacks on the US, a cross-party group of MPs has warned.

The MPs said the government should issue new guidance to officials and ministers that prohibits UK involvement in any action that carries the risk of torture, cruelty or extraordinary rendition — the practice of sending overseas suspects to other territories for interrogation.


Mr Clarke said there was no “serious reason” not to proceed with the inquiry and added: “I don’t mind our intelligence services being tough and ruthless. But when you get to unlawful rendition and torture, a civilised country like the UK needs to have absolutely clear guidelines.”

While welcome any decent lawyer knows that guideliness carry much less weight than statute and that guideliness are simply guideliness. In practice guidelines in the hands of a stateofficial can be twisted and bent up as faras they believe they can “get away with it” which is not the same as best practice or in some instances not even legal. This kind if thing isn’t much help after the damage has been done.

Thoth October 29, 2018 8:46 AM

@Clive Robinson, Nick P et. al.

“But armour up for whom…”

Thus my hinting that it is a half-baked effort and as usual when it includes ARM TZ, it suddenly becomes a less viable option for any security components since ARM TZ potentially makes attacks more deniable in a way with excuses like bugs in firmware for TZ layer.

ARM’s efforts for ‘securing Cortex M series’ is rather odd. They could have provided these features long time ago but they did not. All of a sudden after so many years, they decided to bring out ‘higher security features’ into the mix.

bioman October 29, 2018 10:04 AM

@echo, re. Brain wave based authentification

EEGs are tricky to measure, as per the other poster’s comment. But – quantum entanglement is easy to measure, and would likely be the means by which such a password scheme could work. Entangled photons and their correlations would be transferred via the password holder’s eyes.

Tatütata October 29, 2018 10:24 AM

I ran the test with haveged enabled on both Raspbian and Ubuntu-ish.

My trivial test program reads 10 sequences of 1000 bytes each, with an intermediate delay of 1000 seconds. With the default /dev/random I could see patterns emerge under the standard /dev/random.

But now, with haveged insalled, each sequence took next to 0 seconds. Initially, what I was seeing made no sense to me. I first thought that bit rot had set in, and tried patching things in a somewhat haphazard way, but eventually accepted that what I was seeing was what was happening: reading 10,000 bytes one byte at a time from /dev/random hardly took ~130ms, which works out to 13µs/byte. Calling the time-of-day function eats essentially none of that time.

This is what the result looks like on ubuntu. The 1ms steps appear to be the accuracy of the time-of-day function. I did away with the intermediate 1000s delay, which makes no sense here. The result on Raspbian is very similar, and isn’t presented.

I ran some tests from bash, comparing random and urandom.

read 10M from /dev/random

check entropy pool counter before and after

cat /proc/sys/kernel/random/entropy_avail;\
time head -c 1000M /dev/urandom >/dev/null;\
cat /proc/sys/kernel/random/entropy_avail


real 0m4.392s
user 0m0.016s
sys 0m3.960s

This works out to ~420ns/byte, or ~52ns/bit. This seems very very low. Can you really extract that much real entropy from a few high-accuracy timings of CPU events?

This is also much faster than my test program. Its inefficient byte-by-byte transfer can’t explain this difference. The more you get from haveged, the faster it seems to become. If at this point I run the test program again, it complete in just a few milliseconds.

After many runs, I can’t really make sense of the entropy counter value either, which jumps all over the place.

Now I compare with /dev/urandom, reading much more data (1M=1024^2).

read 1000M from /dev/urandom

check entropy pool counter before and after

cat /proc/sys/kernel/random/entropy_avail;\
time head -c 1000M /dev/urandom >/dev/null;\
cat /proc/sys/kernel/random/entropy_avail


real 0m55.408s
user 0m0.068s
sys 0m55.336s

YMMV, especially if there are other tasks running, but /dev/urandom is about 100 times faster than /dev/random with haveged enabled (and billions of times faster than the standard /dev/random when the entropy pool is exhausted). Reading in bulk from urandom takes about 4ns/byte.

This does not inspire trust, and this might be part of the reason why haveged isn’t installed by default. And I have no idea how haveged might interact with Meltdown and Spectre remedial measures. E.g.: one suggestion I read was to fuzz the high-accuracy timer, or make its accuracy a matter of privilege.

Conclusion: I removed haveged.

Tatütata October 29, 2018 10:31 AM

I should hire a proof reader.

The first set of commands should be:

read 10M from /dev/random

check entropy pool counter before and after

cat /proc/sys/kernel/random/entropy_avail;\
time head -c 10M /dev/random >/dev/null;\
cat /proc/sys/kernel/random/entropy_avail

Timothy October 29, 2018 11:09 AM

The Bureau of Industry and Security (BIS) is seeking public comments regarding electronic waste and possible amendments to export authorization requirements.

Comments are due December 24, 2018.

Background: In recent years, a number of Congressional studies and actions, including the “Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain” published by the Committee on Armed Services in the United States Senate (Armed Services Report), as well as the “Secure E-Waste Export and Recycling Act” (H.R. 917), have raised concerns regarding counterfeit goods that may enter the United States’ military and civilian electronics supply chain. One of the potential sources for these counterfeit goods identified in the Armed Services Report is the unregulated recycling of discarded electronic equipment that has typically been shipped overseas from the United States for disposal. […]

bioman October 29, 2018 11:12 AM

How to grab the correlation of a photon without destroying it? Outside of the three step idler photon scheme, probably some derivation of this sort could work better still:

Obviously decoherence != asborption, necessarily. But that path leads to the right one, IMO. It’s just a matter of time (pun).

Pasta bowls don’t work against quantum entanglement 🙂

Faustus October 29, 2018 12:00 PM

@ Clive, Tatütata

I use a lot of random numbers for a non-cryptographic purpose. “Chaotic” numbers probably serve me as well as “random”. I wouldn’t have thought that the details are that important for running my nondeterministic program, but it gets horrible results under windows with the same code (written in Go), and the random number quality is what comes to mind as an explanation.

The haveged documentation mentions that it has an internal 8M byte pool. As a daemon it probably starts running quite early. You may want to try to grab bytes until they don’t come so quickly before starting measurement to get some idea of how quickly bytes are actually harvested from the cpu.

I don’t make any recommendations about a source of entropy for cryptographic purposes. I don’t strongly trust any of them. But a process running quickly and providing bytes on demand as advertised is an incomplete reason for distrusting it any more than the other sources, which we all have good reason to believe have been intentionally biased in favor of the all seeing EYES. (This includes haveged too.)

Timothy October 29, 2018 12:33 PM

Decoding the Bombshell Story for China
by Samm Sacks, Senior Fellow, Technology Policy Program, CSIS


blockquote>As Jorge Guajardo (former ambassador from Mexico to China) explained in a series of tweets, “it puts a nail in the coffin of China’s aspirations to develop a microchip industry. There will be no market for them, and China’s is not big enough”. He went on to explain how “it gives the United States the upper hand in convincing allies and non-allies around the world to be weary of Huawei and ZTE. It comes at a key moment when countries are deciding how to upgrade to 5G. This may be a lethal blow for Huawei. No one will trust them.” Huawei has already been banned from participating in Australia’s 5G network.

Clive Robinson October 29, 2018 1:28 PM

@ bioman,

Pasta bowls don’t work against quantum entanglement 🙂

In the majority of Qbit cases of course they will…

Curious2 October 29, 2018 2:09 PM

@ All,

Thank you for the responses and ideas. I will provide a couple examples and attempt to clarify my requirements / threat model.

I started thinking about this again after reading a recent comment and subsequent discussion from Wael about “Security by Obscurity” becoming a necessity under certain circumstances.

My particular use case is related to an employment contract which lays claim to any intellectual property I produce while employed. It may not hold water in court, but the contract is plain enough in intent. Often, I find it helpful to write down the particulars of an idea while it is fresh. Aside from avoiding forgetfulness, it is valuable to revisit these notes when thinking of new solutions in a similar problem space. The problem is that these notes, even if hand-written, could be used as evidence by my employer to claim ownership of an idea.

Therefore, I have a dilemma if I happen upon an idea in the course of my work which I do not want my employer to own. Some options are: to write it down immediately using company equipment and risk losing ownership, to attempt remembering and recording the idea later and risk losing details, or to devise a ‘secure’ journaling method.

An example of this notion in popular culture is the evil doctor in the latest Wonder Woman movie. The doctor records hand-written notes in a notebook using a dead Samarian language. Because few people speak or read the language her notes are not understandable even if the notebook is taken. This works relatively well, but it doesn’t have remote-access and has the downside of requiring the user to be highly proficient in writing and reading an obscure dead language.

@Curious3, I agree — I wouldn’t trust off-the-shelf note apps for this purpose. It might suffice for my situation depending on how deeply backdoored my employer-provided hardware is, but I would like something better if possible.

@Gunter, that is a good idea. Thank you. I will try to set something like that set up. Combined with client-key rotation and a server-only master encryption secret this might be sufficient for my purposes. I would still need something for conflict resolution but if I’m the only consumer I might be able to avoid concurrent access.

@Anders, apologies for not providing more clarity in my initial post. Let me know if you see any gaps in the threat model after reading this.

@JG4, Yes, exactly. Please let us know if you get around to extending your solution to include remote access. It would be very useful.

@Clive, Thank you for the detailed assessment. I think you are correct that some requirements end up with negative impact on the others.

For #1, I like the idea of allowing off-line working and re-syncing. It would require some user-adherence to only making updates in one device at a time. Synchronization is a tough problem here otherwise. As you suggest, one option would be to back the store with GIT. However, that could complicate the server encryption and the ability to back-up/replicate the remote store if needed.

For #2, I agree about the problem of handling the data when it is not ‘at rest’ or ‘in transit’. I think your point here gets at the crux of this. Which, possibly overlaps with Thoth’s efforts to build an auxiliary or detachable trusted data entry and data viewing device. I think if the threat model includes state actors a device like the one Thoth is building would be necessary to achieve assurance around protecting the data as it is accessed / processed.

For #3, What I was going for here relates to #2 in practice so it is probably redundant. This is where Wael’s postulation about “Security through obscurity” got me thinking about this problem again. As you outlined regarding #2, there is a lot of complexity at work between the encrypted state and the viewed state. This is problematic from a total assurance point of view but it is an ‘opportunity’ of sorts if you are looking for effective obscurity.

For #4, I was thinking of some kind of hash-based or signing assurance. I was thinking it might work to use the double ratchet from Signal (possibly with modification). This would yield a couple of neat properties. For example, a ‘reader’ device or instance might be constrained in it’s blast radius when compromised by using the double ratchet. Alternately, the signing properties can be used to ensure messages go forward atomically and are not modified. If user-adherence to the single-update rule was not followed you could resolve conflicts by leasing a signing token to writers, writing atomically, then rejecting updates from other token’s issued (pushing resolution into the writer).

@Anders, Thanks for the idea. That also could work but I think it would primarily function as an obscurity measure. It does highlight the option to use an old protocol or system to evade modern detection capabilities. This would be similar to writing a notebook in an old/dead language that few people understand.

Jonathan Wilson October 29, 2018 4:28 PM

New statements from the Australian spy agencies as to why keeping Chinese companies out of telecommunications infrastructure is necessary

Given what we have seen in the Snowden revelations about how the NSA has tampered with and added backdoors to networking and telco gear made by US companies like Cisco and given that the Chinese equivalent is no doubt just as capable, its not surprising these spy agencies (NSA, GCHQ and others) are concerned about compromises in Chinese gear.

Zig October 29, 2018 7:20 PM

I’m just going to leave this here.

There is zero-day exploit bootkit and RAT in the wild that can exploit any OS including Android, linux, Ubuntu, Apple, Windows 32/64 bit 2000 thru 10 inc servers as as well as various hardware mfg, routers, cell phones & intel & peripheral firmware. It can access the internet without internet access, firewall services locked down, wifi, Bluth disconnected on sys board in a clean room through electro-magnetic radio pulse frequencies? Cannot be detected by any known malware/anti-virus/rootkit detection software. Takes 30 seconds to infect

It loads up in protected encrypted hypervisor before normal OS is loaded on ram disk. It maintains a server/client relationship. It operates in ‘God Mode’ protecting system SID and total contol over group policy, trusted installer, task scheduler. It mirrors, keylogs, captures and exfiltrates all data through remote access connection via terminal server? Device mgr has a number of unknown devices that should not be on this computer. Boot up w/o HD only dvd retail Windows install disk Shift to cmd screen X:drive with every ver msft OS starter-enterprise, every country, dates do not match install disk.

Process explorer shows ownership to unknown SIDs in svchost files, autoruns indicate control by remote control registry

Msft, Intel, Various anti-virus and malware vendors, computer mfg notified… to date crickets….hmm could it be something serious?

Unknown if this is part of Intel SMM AMT or ME via USB exploit, Meltdown, Spectre, variant of ATP 28, hypervisor-threading malware, GPU para-virtualization etc.

Reported many yrs ago on very lengthly msft technet forum post ignored Been reported on other forums as well. Could impact tor. Best to read post last to first


Clive Robinson October 29, 2018 7:47 PM

@ Jonathan Wilson,

New statements from the Australian spy agencies as to why keeping Chinese companies out of telecommunications infrastructure is necessary

It actually says very little…

The logical conclusion of such thinking is “every one is doing it” in which case logic dictates “The solo road” for the entire infrastructure very bottom to very top. As Australia does not realy make much in the way of electronic components, it’s just going to run into the “supply chain” issue, which realy can not be fixed…

Perhads ASD could actually explain where they are going to get their 5G kit from and explain why it’s any safer?

If it comes from the US or Israel then it most certainly will be tainted, as it would be from China.

That kind of leaves Japan and Europe my bet would be Japan. But… Where are they going to get the components from? General purpose CPU chips of acceptable performance are going to be US or China now ARM is where it is… Most European telco manufactures went with ARM or similar purchased in designs back when it was wholly UK owned company.

As @Thoth has pointed out having had a sensible design for some time they now sling in TZ which realy is bad news security wise. All since ending up with China getting a significant stake at a “fire sale” price…

The problem is it is an assumption that these Chinese Companies are or might be doing something bad[1], but a racing certainty based on “previous” that the US and Israel are. The UK almost certainly is as well, thus the question arises about Japan/continental Europe. Well we have reasonable suspicion both Sweden and Germany are also upto these games as are the Dutch, all thanks to the US “flapping it’s gums” for political point scoring…

So where ever the ASD are going to look they are going to find the same problem…

[1] As a regular poster here can confirm Huawei have gone to great lengths in the UK with the commerce facing side of GCHQ to show there is nothing up their sleeve… The question thus becomes with this very close observation can they slip something past the GCHQ bods. Well the Post-Noel present from Intel and Co shows that the answer is probably, the question then becomes “would they?” which kind of brings us to the Bloomberg news items that few believe for fairly good reason (ie “no testable evidence” etc). The question then becomes “Who is gaming who?” and as I posed to @Thoth earlier today “But armour up for whom?”.

JG4 October 29, 2018 9:06 PM

@Faustus – I got a kick out of your list of problems that blockchain doesn’t solve. The issue is connecting data models to the real world. You can see the same forces at work, where corporations and governments are trying to tie every economic transaction (really every increment of motion) to your identity. I don’t have a problem with tying product attributes to blockchains and other consensus algorithms. One root of libertarian thinking is self ownership. That has a lot of implications, e.g., being against slavery, allowing people to do what they want with their bodies, up to and including permanently withdrawing consent. I own my thoughts, voice, communications and data, at least when they are running on my hardware. That guides my thoughts on what kind of hardware and software I want to own. Hint: If the hardware isn’t doing what you want, you don’t actually own it.

NakedCapitalism helped me see the world from a left libertarian perspective. Before that, I was a bit rabid with right libertarian thinking. Long ago, and probably not here, I quipped that I represent the anarchist wing of the libertarian wing of the Republican party. More recently I’ve become an equal-opportunity hater. The two parties in the US share roughly equal responsibility for the decline of the Republic. The death throes of empire are very dangerous. It’s not that I’m fascinated with NakedCapitalism, but I find it to be an excellent daily news compendium that is much better than the US media in general. In particular, they have excellent coverage of issues like these:

IBM Buying Open Source Specialist Red Hat for $34 Billion Wired

From today, it’s OK in the US to thwart DRM to repair your stuff – if you keep the tools a secret Register. Caveats to the recent DRM ruling.

Khashoggi BOMBSHELL: Britain ‘KNEW of kidnap plot and BEGGED Saudi Arabia to abort plans’ Express (Furzy Mouse).

Our Famously Free Press

Download Our Guides For Verifying Photos And Videos First Draft

Younger generations are actually better at telling news from opinion than those over age 50 Nieman Labs. There’s a quiz. I scored 100%, as I bet most members of the NC commentariat. So I am still moving quite briskly about.

Big Brother Is Watching You Watch

Now Apps Can Track You Even After You Uninstall Them Bloomberg

echo October 29, 2018 9:32 PM


I will never forgive the owners of ARM for selling a UK strategic asset. Furter to the sale and other issues it is widely known the UK has no strategic industrial policy. In fact no real strategy at all with anything.

Thinking of the selling off of British Gas (mostly to the New York firemans pension fund) which maintained large warehouse supplies across the country ‘Just In Time’ is a good idea in many ways but a failure in others. Boots is another strategic assest sold off to leveraged money. This can only make issues like how many lines stores stock problematic. While out shopping for a lipstick match I noticed they didn’t carry much in the way of one brand so switched to another actually better quality brand. It crossed my mind to buy the top end but this too suffered from the same problem. They only maintained a small stable core set of product lines. The rest were a lottery as the shop a assistant explained. Outside of big brands who maintain their own supply chain you can see similar failures of warehousing and product lines across most of retail. All of this results in a net outflow of capital to none economically active, fiscal pressures to cover unecessary debt, and a weaking of economic activity in the real economy.

While Russia is fairly candid in its dealings and domestic economic situation there is abuse of position by the the Chinese who have a lot of dirty money in their system and need to translate this into legitimate real economy assests. The same is even more true of Saudi Arabia. America isn’t squeaky clean either because exceptionalism tends to stamp everything with brand America which covers up the real financing for a lot of US activity is actually EU capital and high value immigrant talent. All of this makes the UK more and more dependant on the corrupt City.

The supply chain issue, capital, and real economy are big issues. In some respects ‘security’ is the symptom not the cause.

echo October 29, 2018 9:53 PM

Universities in the US, UK, Australia, and other countries may have been unknowingly collaborating with China’s military.

That’s according to a new study by Canberra-based think tank Australian Strategic Policy Institute (ASPI), which found that dozens of scientists and engineers linked to China’s People’s Liberation Army (PLA) had obscured their military connections when applying to study overseas.

Most strikingly, said ASPI, the collaboration is the highest among the “Five Eyes” countries—an intelligence alliance consisting of Australia, Canada, New Zealand, the UK, and the US—which counts China as one of their “main intelligence adversaries.” The fear is that such scientists could be engaging in espionage or committing intellectual-property theft during their stints overseas.

The article itself is very heavy on discsssing men in a scientific role with no clear mention of Chinese female scientists. What a surprise! The photo illustrating this article is of women relgated to being eyecandy with young Chinese female military personnel sticking their chests out.

Mary Beard experienced something simialr ina historical documentary production as all her talk to camera pieces were edited out.

I have personally turned down a documentary because the production company wouldn’t enter into proper discussions on editorial and artistic and other rights and I felt the public policy issues I wanted to discuss would do a disappearing act and I would be on television just for the eyecandy. I know I could possibly have leveraged this but being a production mouthpiece on daytime television never has been my life plan.

Wesley Parish October 30, 2018 5:53 AM

@usual suspects

Well, I’ve just seen – for the first time – Dumb and Dumber, so I feel extraordinarily well qualified to comment on Decoding the Bombshell Story for China

(I’ve also read Californian chap sets his folks’ home on fire by successfully taking out spiders with blowtorch at so feel I understand the mechanics of chopping off the branch you’re sitting on, while you are sitting on it.)

Basically the Bloomberg story is an attempt to rewrite Dr Strangelove or How I Learned to Stop Worrying and Love the Bomb as economic, not military, conflict. While studiously avoiding the reality that Dr Strangelove is farce, not documentary. (Patrick Kennedy in Investigating Implausible Bloomberg Supermicro Stories at does make the point that Bloomberg adds a highly distasteful ethnic slant to their story:

We are not going to print the rest of the section because it paints the employees in a way trying to tie them to China and Taiwan. This may be part of Bloomberg’s agenda with the piece, but we are not going to publish comments that are trying to incite a feeling about a company due to the ethnicity or cultural backgrounds of its employees.

This has a nasty feel of Cold War and Jim Crow about it.)

echo October 30, 2018 6:14 AM

Humanity has wiped out 60% of animals since 1970, major report finds.
The huge loss is a tragedy in itself but also threatens the survival of civilisation, say the world’s leading scientists.

The world’s nations are working towards a crunch meeting of the UN’s Convention on Biological Diversity in 2020, when new commitments for the protection of nature will be made. “We need a new global deal for nature and people and we have this narrow window of less than two years to get it,” said Barrett. “This really is the last chance. We have to get it right this time.”

Tanya Steele, chief executive at WWF, said: “We are the first generation to know we are destroying our planet and the last one that can do anything about it.”

Goodbye wasteful blockchain?! On other issues I expect computer hardware designers may consider designing for quality and supply chains are likely to contact. I also expect or hope rather that security by necessity would be baked in from the beginning to avoid the need to inflate manufacture-recycle.

@Wesley Parish

I’m avoiding movies like Dumb and Dumber. My ongoing search for a lawyer, as per Clive’s advice (while keeping an eye on “Plan B”), has turned into a headscratching farce. I need to give myself personal space and time to review things before writing something this security orientated blog can absorb.

Well, I’ve just seen – for the first time – Dumb and Dumber, so I feel extraordinarily well qualified to comment on Decoding the Bombshell Story for China

That was a good article. The political subtextseems to be “Never waste a good crisis?” If I haveone nitpick it’s the US-centric nature of a lot of US media which gets up my nose. Original stories and data are often edited to the US centric point of view which loses a lot of detail. I feel uncomfortable with this as it edits out positive globalisation and makes discussion unipolar.

vas pup October 30, 2018 11:54 AM

On drones:

“New model

The Chinese firm continues to develop drones aimed at professional users – such as the new Mavic 2 Enterprise, which has been designed for uses including search and rescue.

Among its features is a 100-decibel loudspeaker that can be used to broadcast pre-recorded messages.”
[Good utilization for crowd control including border security. I guess LRAD could be installed on drones as well for same purpose].

Can we predict when and where a crime will take place?
“Ever since the Philip K Dick novel The Minority Report, which was later turned into a Tom Cruise blockbuster, was published in the 1950s, futurists and philosophers have grappled with the concept of “pre crime”. It’s the idea that we can predict when an offence is going to occur and take measures to prevent it.

Now artificial intelligence and machine learning mean this concept has leapt straight from the pages of science fiction into the real world.

Tech firm PredPol – short for predictive policing – claims its data analytics algorithms can improve crime detection by 10-50% in some cities.

Many forces have traditionally used “hot spot analysis”, where past offences are recorded and overlaid onto a map, with officers concentrating on those areas.

But PredPol and others working in this space, such as Palantir, CrimeScan and ShotSpotter Missions, say that traditional hot spot analysis is just reacting to what happened yesterday, not anticipating what will happen tomorrow.

AI and machine learning can spot patterns we’ve never noticed before.

“Machine learning provides a suite of approaches to identifying statistical patterns in data that are not easily described by standard mathematical models, or are beyond the natural perceptual abilities of the human expert,” says Prof Brantingham.

Frederike Kaltheuner, data programme lead at civil rights group Privacy International, wonders whether it will also be used to predict police violence and white collar crime, or simply used against communities that she says are already marginalised.

“We’re moving away from innocent until proven guilty towards a world where people are innocent until found suspicious by opaque and proprietary systems that can be difficult, if not impossible, to challenge,” she says.

[This AI pre-crime tools are good for criminal intelligence as other tools. They are not substitute/replacement for good smart LEOs/IC folks – I guess]

Rach El October 30, 2018 2:04 PM

Initiative Q

a alternate payment system seeking to supercede credit cards and is aiming for trillions of $ in transactions. Not an ICO, they say.

Invented by Saar Wilf whose payment-related Fraud Sciences was acquired by Pay Pal.
takes a hard stance against cryptocurrencies in the FAQ including illustrating some of their liabilities not commonly dicussed

There’s an strong scent of delusion around the fact there’s no labour to support it. And it wants to be pegged to the USD and be a universal currency, units of Q.
I am yet to read a reason why its better than cash.

For the literate members here your feedback would be welcomed. They are giving away currency as an incentive to join suggesting they could be valuable if the project takes off.

Weather October 30, 2018 2:28 PM

Is there any information on the computer code, adjust you site it sounds like bitcoin at the bigen just selling speculation, sell to a greater fool

Rach El October 30, 2018 4:30 PM


I didn’t say I was a proponent. It is worth making such things known to communities like this one, whom wish to stay abreast of technical developments for better and ill. Particularly given its counterpoint to blockchain. Mr Schneier at the very least deserves to know.
i did question the concept of speculation aka securities – there is a conflating of terms. Is it currency or is it a security? A question Bitcoin proponents refuse to acknowledge

Clive Robinson October 30, 2018 6:11 PM

Apples and Helium do not mix

Apparently Apple have in more recent products changed the standard can 32KHz Beta cut crystal for time keeping to a MEMS oscillator device.

The problem is the seal on the MEMS devices Apple have chosen to use are not “full spec” thus they allow the ingress of helium amongst other gases to cross into the MEMS device changing it’s vapour preasure and stopping it oscillating. With out the “time keeper” oscillator much of the software fails to opperate…

If your Apple does get helium poisoned which can take as little as four minutes it can take atleast a week and a full battery discharhe to get the MEMS back to life…

So all those “mumies and dadies” at juniors birthday party, keep your Apple device away from the balloons…

Clive Robinson October 30, 2018 6:26 PM

@ Bruce,

Not quite squid, but…

A second deep see nursery octopus garden has been discovered by scientists. Chad King, chief scientist on the Exploration Vessel Nautilus estimates,

    that more than 1,000 octopuses known as Muusoctopus robustus were nestled among the rocks, most of which appeared to be inverted, or turned inside out. For this species, that inside-out pose is common among females that are brooding, or protecting their growing young. In some cases, the submersible’s camera could even spot tiny embryos cradled within their mothers’ arms.

Clive Robinson October 30, 2018 6:52 PM

<>Mozilla and telemetry privacy.

As we should know all browser developers try to get data back from their browsers (unless you stop them).

Apparently in recent months, Mozilla have been experimenting with one such system,

    Prio, developed by Professor Dan Boneh and PhD student Henry Corrigan-Gibbs of Stanford University’s Computer Science department. The basic insight behind Prio is that for most purposes we don’t need to collect individual data, but rather only aggregates. Prio, which is in the public domain, lets Mozilla collect aggregate data without collecting anyone’s individual data.

The notion of collecting aggrigate data with anonymity goes back to a cryptographas daughter. Apparently when a group get together had a chat over dinner the idea came up about how to find the average income of the cryprographers without any cryptographer giving away how much they actually earnt. According to the story they were stumped untill the daughter of one said she knew how to do it… And proposed an elegant solution.

All of that aside the idea of gathering data as an aggrigate will appeal to many as with a few sage safe guards it does give privacy to individuals whilst still allowing developers to get usefull performance figures etc.

echo October 30, 2018 8:26 PM


The problem with even anonymised telemtry is similar to excuses given by other organisations for standard interrogations. There is a risk of creating a climate of cavalier behaviour and “nod along” so anyone who objects is labelled “odd”. This can turn into “normalisation” of “objectification” and “weakening of social feedback mechanisms” all of which create more “distancing”.

If I can reverse the question of “what happens when data is aggregated?” to “what is the aggregate effect of data gathering?” how do things look?

I believe people need an analogue space they can retreat to and this is as true and sometimes more true for women than it is for men. It’s not about being isolated but realising a concious decision to retreat. Anonymised data suggests it is a half way house between “airport mode” and “collect it all” but I’m not completely convinced. The argument is more soft and fuzzy “wellbeing” but “wellbeing” is actually a thing. “Man caves” are a cliche and the media this week made a thing, quite patronisingly I thought, of the increase in popularity of the “she shed” women are buying to have their own space away from the clutter and chaos of life. What I suppose I am getting at is between “airport mode” and “collect it all” there isn’t a “retreat” or “shed” mode. Anonymised data is sold as this mode but when viewed not just as a technical system but as a psycho-social system there is still a presence of arbitrary control.

Maybe I’m being nitpicky and I can accept this accusation. I’m just not convinced technical solutions as is are quite the “get away from it all” they say they are.

Tatütata October 31, 2018 12:34 AM


Re: Helium


Helium can readily pass through spots too small to let other molecules through, such as diatomic gas beginning with N2 and O2, or water vapour. It ain’t for nothing that the standard technique for high vacuum leak detection uses helium.

Yet, the partial pressure of that helium must have been very small, and the gas first had to diffuse through the phones outer openings and then into the chip package, probably around the leads.

Many MEMS are vacuum packaged.

From a random patent application:

[0015] A MEMS package formed by the package formation method described above is characterized by being capable of maintaining an interior vacuum condition of [1E-4] Pa at least for 6 months. With such a package, operations of MEMS inside the hollow-sealed interior space can be maintained for a long term.

That sounds like a general requirement lifted from a spec. 1E-4 Pa works out to 0.7µtorr, which falls within the conventional definition of a high vacuum. (Ha! Does that make the chips vacuum valves?)

Even though helium also has exceptional sound and heat conduction properties, it is interesting how little of it was enough to interact with the MEMS.

I remember long discussions in the late 80s about the reticence of the military in accepting plastic packaged chips, even though their water vapour ingress had dramatically improved since the 1970s. Ceramic packages dramatically increase costs and decrease designer choices, even when the chip doesn’t have to be MIL-STD-883 qualified.

Could that lead to a new specification people won’t remember why it was created in the first place? Helium contamination is probably too rare to worry about. Losing a hundred pounds of rare and costly helium is bad thing. MRT machine designers might eventually still want to avoid MEMS. Helium is also used aboard spacecrafts.

A friend in the cable business told me of an old spec that was lying in some particular customer requirements, the gopher test. The recipe: take one piece of telephone cable, and insert it through the openings of a specially adapted cage otherwise containing a hungry gopher. Leave the two together for a while.

echo October 31, 2018 3:30 AM


Helium contamination is probably too rare to worry about. Losing a hundred pounds of rare and costly helium is bad thing.

I noticed this!

Wesley Parish October 31, 2018 5:29 AM

@usual suspects

As you may have suspected, you are indeed suspects and are suspected of everything under the Sun.

This is how the US DoD interprets its obligations to defend the US constitution, which does include such radical ideas as:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Fun and games if you happen to be a US citizen. Perhaps the upper echelon DoD staff take an oath to defend the US Constipation? Rather than the US Constitution? Or perhaps it’s the US Constitutional?

Pentagon Wants to Predict Anti-Trump Protests Using Social Media Surveillance

The United States government is accelerating efforts to monitor social media to preempt major anti-government protests in the US, according to scientific research, official government documents, and patent filings reviewed by Motherboard. The social media posts of American citizens who don’t like President Donald Trump are the focus of the latest US military-funded research. The research, funded by the US Army and co-authored by a researcher based at the West Point Military Academy, is part of a wider effort by the Trump administration to consolidate the US military’s role and influence on domestic intelligence.

Well, for what it’s worth, it wasn’t the posts of the Trump opponents that led to the deaths of the worshippers in the Tree of Life synagogue.

“This sort of military funded social science research tends to occur in an ideological echo chamber, where groupthink predominates and dissent or concerns about the applications of this work is missing,“ he told me. “Among the basic assumptions that social scientists outside this group would question are assumptions that civil unrest or protests are not core elements of democracy that need to be protected, [rather than] undermined by surveillance—and the oppression that follows such surveillance.”

I concur wtih this assessment:

The problem is that however seemingly minor, “shifts in homeland defense doctrine increasingly create possibilities for military and civilian intelligence agencies to engage in political surveillance and harassment,” said Price. “With an unstable president who frequently is unable to differentiate between political and legal threats to him and threats to the nation, we must worry about what President Trump may consider an ‘insurrection’ worth of massive military surveillance.”

And, in case you wonder, this sort of thing does tend to spread. Australia has an unfortunate tendency to follow rather slavishly behind Uncle Sam, the way it used to follow the United Kingdom. So I worry it might spread to my neighbourhood.

Clive Robinson October 31, 2018 5:51 AM

@ Wesley Parish,

Australia has an unfortunate tendency to follow rather slavishly behind Uncle Sam, the way it used to follow the United Kingdom.

It used to be said that Auz 5-10 years behind UK, UK 3-7 years behind the US and Canada was to polite to play keep up with the Jones’s.

What has happend is Auz due to being closer to Asia than the UK got infected by the JIT and similar bugs and the rapid changes that, that caused in turn caused significant social changes that have in more recent times been pushed along by “gold prosperity”.

The reality technology wise was that Auz could jump three to ten technology generations without incuring either the ROI or legacy costs.

The UK however is regressing at a rate of knots, and if the likes of idiots like Rease-Moog have their way it will be “Welcome to feudal England, collect your law regulated ‘class clothing’ on the left”…

Mario Lacroix October 31, 2018 7:00 AM

@RG-1 wrote:
“Once GDPR laws will take effect, Amazon will not be able to arrogantly monetize MY purchase history, because after 30 days it will be deleted.”

How does return policy gets into effect? If the company deletes all your purchase history after 30d, it cannot fulfill the minimum requirements to things like “full money back in case you are not satisfied”, as the process takes more than 30d!

Timothy October 31, 2018 8:16 AM

‘FCW’s 2018 Election Security FAQ’
‘What does the threat look like? What has Congress done since 2016?’ […]

AM to DM by BuzzFeed News @AM2DM
‘Department of Homeland Security Senior Official @nppd_manfra says she’s more concerned with someone planting the idea that the midterm election results have been tampered with than actual meddling’

GregW October 31, 2018 8:35 AM


Trump has a lot of domestic support across party lines for leaving the Universal Postal Union despite its lengthy history.

Read the UPU Wikipedia entry’s Current Issues section or the latest Washington Post editorial on the move to see why.

Even after reforms were attempted in 2016, it still costs double to send a good from a manufacturer in the U.S. to a U.S. resident than it does to send a good from China to the U.S. resident.

A treaty that enshrines that makes neither economic nor national interests nor environmental sense.

Corrections welcome.

Faustus October 31, 2018 9:45 AM

@JG4 et al

JG4, I think we have very similar political opinions. For me, getting my news from an anticapitalism site run by an organization of the predatory capitalism class is not an option. Even if they don’t intend to be, they will be biased. That is why studies are double blind. We tend to see what favors us.

I don’t get news from organizations that jump up and down and scream. No Fox News. No MSNBC. Although I’ll take their raw data and leaks, the Intercept has totally lost my confidence and now appears a Russian captive. I don’t need breathless analysis.

After all we have discovered about implants to suddenly start doubting that China is utilizing them seems out of touch. This doesn’t make them evil, it makes them like us. But it doesn’t mean we shouldn’t protect ourselves. It is short sighted not to have domestic capability to create critical electronics.

I think you have to be crazy to think that aggregation will successfully protect privacy. Here I am aggregating x and y. x+y=1 3x+4y=2 Thank God the values of x and y are hidden!! In general, once people start sending data out the looser and looser the controls are going to be.


“While Russia is fairly candid in its dealings and domestic economic situation”

This seems unlikely. How do you draw this conclusion?

vas pup October 31, 2018 10:03 AM

Can artificial intelligence help stop religious violence?

“Core beliefs

The research, published in the Journal for Artificial Societies and Social Stimulation, indicates people are a peaceful species by nature.Even in times of crisis, such as natural disasters, the simulated humans came together peacefully.

=>But in some situations the program indicated people were willing to endorse violence.
Examples included occasions [!!!]when other groups of people challenged the core beliefs that defined their identity.

Research author Justin Lane said: “To use AI to study religion or culture, we have to look at modelling human psychology because our psychology is the foundation for religion and culture.

“The root causes of things like religious violence rest in how our minds process the information that our world presents.”

[!!!!]The results suggest the risk of religious conflict escalates when a group’s core beliefs or sacred values are challenged so frequently that they overwhelm people’s ability to deal with them. But even then, anxiety only spills over into violence in about 20% of the scenarios modelled.

The researchers believe one answer to reducing the risk of religious violence and terrorism is to create situations that stop people seeing outsiders as a threat. [and outsiders respect core values of the host population and assumed that acceptance to be in a new country/community required such acceptance. period – vp]

The most risky situations are when the difference in the size of two different religious groups is similar and people encounter “out-group members” more regularly, perceiving them as dangerous.{not only physically dangerous, but dangerous to their social benefits – e.g. when new folks got more benefits having zero contribution than core population – Germany, demographically dangerous – when their birth rate substantially higher than of core population – vp]

The encounters need not be face-to-face. It could be that the threat is brought to someone’s attention through conventional and social media.

“We appear to live somewhat in our own information bubbles, but we still receive a lot of information about out-group members and that information appears to trigger our psychology even if there isn’t actually a real person there,” Mr Lane warned.

“Just the idea of a threat can be as powerful as a real threat to elicit a reaction.”

echo October 31, 2018 10:11 AM


Bangladesh with missiles? Going off on a tangent why is it you only acknowledge my existance when you disagree? It gets wearing.

Faustus October 31, 2018 10:56 AM


I apologize for offending you. That is not my intention.

I tend to follow up on things that violate my expectations. I thought maybe you could point me to something specific. An article or a transparency website concerning Russian openness. Transparency is something that I strongly support.

You are not generally talking about technical work you do or have done, which is the kind of thing that might get my positive attention. Besides that I mostly comment on what seems inconsistent or counterintuitive. For everyone.

You also tend to answer in ways that I can only understand as non-sequiturs: “Bangladesh with missiles?” I have no idea what that means.

I do not mean offense but to simply report my observations: The apparent non-sequiturs in your answers have suggested to me that your responses are at least partially bot generated. Even this turn towards attacking me is parallel to strategies employed by Eliza, an early bot, when it was cornered.

And “echo” is a name that suggests a mechanical response mechanism.

I do not currently strongly believe I am talking with a bot, but I am also not totally convinced otherwise.

This is not to suggest that your posts are not valuable or informative. It mostly relates to your responses to queries.

In general, we have very different political opinions. I am of the opinion that a wide range of opinions is a very good thing and so I welcome this. But I am not going to give you insincere high-fives. I don’t engage with people that I don’t find interesting so I hope you can see my questions as polite interest and an attempt to understand a different way of thinking from mine.

Timothy October 31, 2018 11:34 AM

“Firmware updates on Linux, and using data to influence procurement decisions”
NCSC blog post October 30, 2018

According to NCSC, many firmware updates for Linux devices are available through LVFS (Linux Vendor Firmware Service). The LVFS provides a list of currently supported devices. From LVFS’ device list: “This is a very incomplete list as a lot of the devices in the LVFS have not yet been released publicly and the firmware updates are in a secret embargoed state.”

The most recent notable firmware patches were made available for Spectre and Meltdown, two-related CPU side-channel attacks.

65535 October 31, 2018 12:14 PM

@ Timothy

“According to NCSC, many firmware updates for Linux devices are available…”

That sounds very good.

But then I go to your link and find, “The National Cyber Security Centre a part of GCHQ” in the logo at the top of the webpage.

Is this akin to going to Fort Meade [NSA] for firmware updates or advice on the “best” place to get firmware updates?

I like the idea but I am not so enamored with the source. How about a more neutral place to get critical firmware updates? This is not to say the GCHQ is all bad or it motives are not aligned with privacy advocates but I do have some concerns.

I Do feel that the NSA [and probably the GCHQ] has been trying to trick the populace into using weaker security standards and devices to keep in line with their “collect it all” mentality. But, who knows, the NSA and GCHQ many have shifted positions. This could be a helpful site.

vas pup October 31, 2018 12:25 PM

Laser attack on commercial flight:

Now, imaging those available laser pointers (more than one) combined together and attached to drone with the same criminal intent. You get drone weaponized by blinding capability against commercial flight/police choppers/private jets close to take off or/and landing.
On the other hand, same device could be probably used for blinding surveillance drones as well.
I guess pilots should have kind of special protective glasses against commercially available laser beam devices/pointers and/or cockpit window should have kind of protective cover. As I recall, military pilots have kind of protection or may be just in my dreams (kidding!)

Timothy October 31, 2018 12:59 PM


How about a more neutral place to get critical firmware updates?

What would you suggest?

With regards to Windows platforms, a linked NCSC blog post from 2017 advises that hardware manufacturers like Dell, HP, and Lenovo don’t update UEFI firmware through Windows Update. However, those firmware catalogs can be updated using ‘Microsoft System Center Update Publisher (SCUP) in conjunction with System Center Configuration Manager (SCCM.)’ Correct me if I’m wrong, as I don’t manage those processes.

Does Microsoft or the firmware development chain merit a higher level of trust?

Faustus October 31, 2018 1:26 PM

@65535, vas pup

I’ll say it: The motives of GCHQ are not aligned with privacy advocates.

Is that in doubt?

I have been watching a strange British/Cinemax show called Bodyguard. In it, a surveillance happy Home Secretary says: “We don’t need to know if you type in B-O-O-B-S but we certainly need to know if you are typing B-O-M-B.”

It made me think. I have not done extensive research into this, but Britain seems to be surveillance and security obsessed, successively banning new security threats. Laser pointers next? Drain cleaner? Shoe laces?

But the B-O-M-B quote, as fictional as it is, makes me realize how many new British shows I watch combine tons of soft core pornography with very positive depictions of heavily armed police running about based on massive surveillance feeds.

I makes me think of Brave New World, where sex and drugs blunted the sting of an authoritarian controlled existence.

Rach El October 31, 2018 4:08 PM


re: tv shows. Yes, there is also an English M15 one called Spooks which has the slogan ‘For The Greater Good’ which, as Clive Robinson points out, is the sort of phrase that, if heard uttered by say an employer, should have one running for the hills as fast as possible. Shows like that can’t be considered anything but brainwashing vehicles. But for cinema and tv beyond overt examples such as these (as yours) there is the steady diet of sexualised violence we are drip fed that flies a bit below the subliminal radar, having been exposed to it for so long. we accept it as normal. I can assure you – it is not normal.
no more than it’s normal for humans to voluntarily, with good feeling, dress up in weapons and wander out beyond the village into the desert and start murdering all the citizens of the other neighbouring village – because the king wants the land and goods and needs someone to take it for him.

Always enjoy your contributions here
Good rebuttal of the aggregrated data collection practices by Firefox.
A new broswer tab in Firefox has (or used to have, I can’t see it now) a litle blurb ‘ we’re anti-corporate, anti-authoritian, anti-profit, we are people first, privacy first blah blah’ This is, amusingly,brazenly declared immediately below massive clickable windows directing one to all the partners Fireox has – facebook, twitter, redditt, amazon
a quick browse of about:config indicates just how deeply the google tentacles are wrapped around firefox innards

Having said that, credit where credit is due. Mozilla and Firefox have some admirable qualities

k15 October 31, 2018 5:45 PM

Why do financial institutions ask other companies (which then use the fin. inst’s name in the From: field, despite sending from a different email domain) to survey customers on their behalf? If an outside malefactor wanted to compromise the institution’s customers using a false survey, what would keep such a venture from succeeding?

Clive Robinson October 31, 2018 9:23 PM

@ vas pup,


blockquote>I love that [hoverbike is] in usage by Dubai police and made in Russia (wow!).

Have you seriously looked at that thing?

Those “fans” make “brush cutters” look like toys… If you ran it into a crowd of people you’ld be talking a hundred weight of Hamburger meat easy… As for the rider you fall of and you definitely will not hit the ground in one piece…

That hoverbike is an accident just waiting to happen big style. But beside that it’s just plain nasty with several side orders of “ripsaw massacre” to hand out left and right, front and back…

k15 November 1, 2018 6:21 AM

My question might have been unclear. What keeps a malefactor from emailing their target offering a link to a compromised site, in the guise of doing a survey on behalf of the target’s financial institution?

Faustus November 1, 2018 8:37 AM


Banks probably don’t send out emails that don’t legitimately come from their domains. Nor will they ask you sensitive questions by email.

You are probably looking at hackers who are “phishing” you. It is wise never to click on links in emails if they have anything to do with financial institutions. And if you see an email whose apparent sender is coming from an unrelated address, like Customer Service, simply ignore it. Even opening it can expose you to hacking depending on the settings of your email client.

Faustus November 1, 2018 8:39 AM


My example email was elided. In short, a bank is not going to send you an email from someone’s personal account.

Anura November 1, 2018 3:00 PM

For those who missed the hilarious op-sec failure the other day:

* Surefire’s official phone number goes to Jacob Wohl’s mother’s voicemail.
* Wohl’s email is listed in the domain records for Surefire’s website.
* The office Surefire listed as its address is in fact occupied by a law firm that says it has nothing to do with them.
* An LLC with the company’s name was incorporated just a few weeks ago.
* LinkedIn profiles for several supposed Surefire employees use photos that are actually of other people (including model Bar Refaeli and actor Christoph Waltz).
* The photo for Surefire’s supposed “managing partner” appears to be of Wohl himself.

Apparently if you keep telling people that anyone can make up rape allegations, someone will believe you and try it; kind of like the Republicans that keep getting arrested for trying to vote in two different counties (for which voting records are publicly available).

echo November 2, 2018 5:17 AM


I apologize for offending you. That is not my intention.

This would explain your “doubling down” with convoluted slander and superstition followed by elbow out of the way “high fives” then breathless “content light” posts for the remainder of the topic. I believe a forensic examination of the past weeks or even months posts will confirm this. I invite you to review tham on your time and be more careful the second time around.

Given your lack of being unable to use a search engine to verify what “Bangladesh with missiles” means or intellectually “pivot” with regard to Russia’s well known political approach and economic realities I won’t hold my breath.

I dislike squabbling but I dislike being gaslighted and pushed about even more. Please don’t do this again. Thank you.

itsjustobvious November 2, 2018 7:32 AM

@ echo “Humanity has wiped out 60% of animals since 1970, major report finds …”

Echo, you don’t need to be a mathematician to see that we’re on the curve that represents the explanation for the Fermi Paradox: “The Great Filter.” Reading the news makes me feel like Charleston Heston in the Omega Man.

@ vas pup : “Now, imaging those available laser pointers (more than one) combined …”

We are only just now beginning to see how the laser can/will/is being used in very negative ways. Twisted light “hollow” laser beams have the potential to wreck civilized society. In fact, the same could be said of almost anything that current day researchers tag with labels like “quantum [anything]”

Faustus November 2, 2018 8:33 PM

@ echo

I am simply asking what Bangladesh with Missiles has to do with Russian Transparency and where I could find something about Russian Transparency? You are unable to answer a simple question. It is extremely uncanny to me.

In any case, you are simply twisting good natured queries into some sort of a plot. If any gaslighting is going on here, it is on your part, and I’m not going to be cowed by silliness.

You certainly don’t owe me an explanation for anything. But this is an open forum and I can ask my questions.

Despite your hostility, I intend to continue along like I do with anyone. I really have no idea why you are acting like this and it has nothing to do with me.

Faustus November 2, 2018 9:01 PM

@ echo On second thought, unless you summon me forth by name, I will not respond to your posts. I do not wish you any ill, and I think silence best serves.

echo November 2, 2018 11:53 PM


You did it again!

I really do expect someone discussing the Russians to have at least a basic undestanding of Russian politics and economic circumstances and history. I also expect people to follow their curiosity and use a search engine or read around the subject. I know the whole world is not me and other people may not have or make the time for this given their own unique life history and circumstances. I’m fairly sure you’re not an ignorant dunce and your mind is agile but I do believe there are points of view which pass you by.

I will admit “Bangladesh with missles” is cryptic. You will need to do your own research. The only clue I will give you is considering Russian politics as a “blunt hammer” and Russia having a fairly advanced economy which is insulated and geographically distant.

Being “silly” is pretty sexist! Yes I can be silly. It’s usually to hunmour men who have opinions like brick walls and manipulate them so they perceive me as “not a threat” and “not worth the bother”. I like to believe this is when I am my most dangerous. Grrr.

Clive Robinson November 3, 2018 4:13 PM

@ Faustus,

I am simply asking what Bangladesh with Missiles has to do with Russian Transparency

If you googled “Bangladesh with Missiles” the first link that comes up in the UK is,

The “Bangladesh with Missiles” remark is highly probable a lie by Madeleine Albright. She made during the interview in Austria, not thinking that people would actually check it out.

Let’s just say that what she says is at best highly slanted and almost always untruthful in some way when it comes to certain types of politics. She has a self and mental image of the world that does neither her nor the US any favours. As almost every one outside the US who has taken an interest in world politics should know.

Her views are the extream end of that of a small unelected clique who were well out of date in the 1980’s which became obvious to all during the 1990’s. With the likes of other clique members such as Condoleezza Rice being almost catastrophic. Ms Rice repeatedly ignored warnings from the likes of CIA Director George Tenet who called an emergancy meeting with her to discuss the possibilities of prevention of imminent Middle East terrorist attacks on American targets, including positive information on an impending al Qaeda attack…

Ms Rice effectively brushed it off by saying “It was information based on old reporting.”, and more or less ignored it in her pursuit of bashing the Russian’s every which way she could. In fact on 9/11 she was due to give a high level briefing on her new national security policy, that included lots of stuff the MIC loved to hear. The foundation of the policy was a hugely expensive missile defense against Russia that would be forced down the throats of close Russian neighbours. And yet more about forcing US “democratic” views down the throats of those in the Middle East whilst strongly playing down any threat of stateless terrorism against the US at home or abroad…

We are still seeing US foreign policy defined by those of that clique and those they have groomed. The MIC however quickly learnt to play the game differently and has had an amazing bonanza at the US tax payer expense since. All that one can realy say about US foreign policy from when Madeleine Albright had any say in it, is that it has not been good for US citizens or world stability and worse will almost certainly come because of it.

@ All,

Has anyone else noticed the lack of alledged Russian interference in elections since the demise of Cambridge Analytica and associated off shore organisations that were apparently funneling US billionaire money into election rigging via amongst others Russian contacts. It’s a shame the UK police suddenly and puzzlingly stopped investigating that angle… Though it looks like they have decided to go after Arron Banks and a group of off shore companies he has interests in after the electrol commission gave them little choice,

gordo November 3, 2018 11:03 PM

@ Clive Robinson,

RE: interference

Maybe it doesn’t matter to the likes of Facebook. From the U.S. …

Senators Tell Facebook To Close Loopholes In Political Ad Tool
by Wendy Davis, Media Post, November 2, 2018

Rob Leathern, director of product management at Facebook, says the company investigates and removes deceptive ads after being informed about them. “We’re exploring additional checks to help prevent abuse and will respond to requests from law enforcement and election officials now and in the future if new requirements arise,” he said in an emailed statement.

… anyway, another non-system keeping tabs on a system. The medium, err, business model(s) is(are) the message.

Faustus November 4, 2018 12:07 PM

@ Clive

Thanks, for the extended explanation. I am no fan of the neocons and the fake democrats and war mongering in general. I had googled “Bangladesh with Missiles” but all I saw had nothing to do with Russian transparency, which was my question. The answer is what would happen if I spidered a few websites based on the keyword “Russia”, and looked for a random phrase that occurred several times. What struck me was how strangely unresponsive “Bangladesh with Missiles” was to the question I asked.

Whatever. It is no crime to have general opinions that you cannot back up with hard evidence whenever anybody asks. I have them too. I just admit that I don’t have the evidence in hand.

It’s not that I think the West is open either. Our politicians’ response to democracy is to provide the voters with as little information as possible to use to make their decisions, which undermines the whole rationale of democracy. Obama, Bush, Trump, none of them tell or told the American people the truth about much.

I spent several months on trying to talk with the crop of right wingers to see how they would articulate where they were coming from. They really wouldn’t. There were lots of suggestions that I should google it and come up with all the good reasons that Jews are trying to replace poor WASPs, for example. I got a few collages of calumny against Jewish folks. That’s the best their explanations got.

Once again, whatever. Nobody owes me an answer about anything. I was just curious.

At the time of the Crimea takeover I noticed how quickly the US news forgot that we had just engineered the ouster of the Russia leaning Ukrainian President, probably setting Russia’s response in motion. So I am open to the idea that I have consumed a lot of anti-Russia propaganda, and am willing to look at evidence that Putin is not what he appears to be. But googling shows me no such evidence that is not hosted by Russia herself.

I don’t think Putin is any more evil than we are, just better at what he does, and less restrained since there are no checks on his power. His logic is our logic. China can be a world power based on its economy. Russia doesn’t have that advantage and needs to use sneakier methods. We would too, and undoubtedly are.

My loyalty to my country is loyalty to its Constitution and Bill of Rights. The last few governments were full of weaklings that Putin could work through with his bare hands, one after another. And yawn, no great loss. But they are what we have to protect the Constitution right now, and so I provisionally support them, and wish to contain Putin, not because he is evil, but because he doesn’t wish us well, and has no good reason to change that orientation. And it is disturbing how he treats his own people and the sloppy methods – dangerous to bystanders – that he uses against dissidents outside his country.

But thanks for the exegesis on “Bangladesh with Missiles”!! You are very generous in taking the time to answer this, and other questions of mine, in depth.

Clive Robinson November 4, 2018 5:29 PM

@ Faustus,

My loyalty to my country is loyalty to its Constitution and Bill of Rights.

Sadly you appear to be on what is sometimes called in the UK “A loosing wicket”.

I do not know how it appears to people in the US, but most people I’ve talked about it to, in the UK , Europe and even more far flung places tend to agree that it’s not just the US executive that wants to shred them. But also most US politicians, the DoJ, FBI, and more than a number of DAs. Oh and if the numbers of deaths, injuries, and wrongful convictions are anything to go by so do a significant number of Law Enforcment Officers.

Other than the numbers of deaths and injuries I can not honestly say it’s actually that much better in the UK, and I don’t think that god or any other deity knows just how bad ot will get after Brexit, but it is very very unlikely to get any better.

I was reading up on Apollo VIII which will have it’s fiftieth aniversary this Xmas. History indicates that 1968 was not a good year for the US in oh so many ways, and there is a story of an anonymous telegram sent to NASA and the astronauts thanking them “for saving 1968″… Sadly we don’t have that sort of thing any longer where something like a quater of the world could see something that was so unifying and get hope from it.

I fear that the way things are currently going we will see the equivalent of the proxy wars that came at the end of the 60’s and through the 70’s, not just returning but escalating into something much larger. As has been noted there is only one thing likely to happen after you wire the safety valves down, the only question being “When?” not “If?”.

Faustus November 4, 2018 6:14 PM

@ Clive

The Constitution was written with the understanding that it would often be opposed by government factions. It is very hard to change, and no matter who appoints Supreme Court justices, the Court, more than any other branch, keeps falling in the direction of honoring it. If only because it is the seat of its own power.

I’m not always going to agree with the Court. It has made decisions that we now recognize as mistakes. But it, overall, has done an admirable job in upholding the Constitution and allowing the US to evolve and improve. Yes, we have a way to go.

Ultimately the Constitution is an idea, grounded in the Magna Carta and English Common Law, an inheritance. Even if it is forced underground or abandoned, it can always be taken up again.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.