Friday Squid Blogging: Squid Sculptures

Pretty.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on November 16, 2018 at 4:05 PM • 50 Comments

Comments

Mike LoomsdayNovember 16, 2018 4:38 PM

On fractal level the privacy and security problems are the same whatever "problem" we are trying to solve.

What if you studied a poker game played by card trick magicians. -- All tricks allowed. -- If you play by the book, literally, is there any chance for cheating.

The tricks used in a poker game are actually the same as in a computer hacking. -- Maybe it is easier to "see" the phenomena in a different environment.

MarkHNovember 16, 2018 6:03 PM

.
Using Digital Anonymity to Safely Kill People ... Without Leave the Comfort of Your Home

Burned to death because of a rumour on WhatsApp [bbc.com]

This story reports the lynching (i.e., crowd-sourced murder) of two men in a Mexican town. The grisly murder was inspired by an apparently false WhatsApp rumor concerning child abduction.

From my reading of the story, the rumor did not identify anyone, but happened to simultaneously appeared on numerous phones, the two doomed men were brought into a police station on suspicion of disturbing the peace. Somebody connected this arrest with the WhatsApp messages, and the mob accepted this connection as fact.

Sure, people commit senseless murders every day, and as an isolated incident this might seem a curiosity.

But the story refers also to:

• lynching of a man and woman in Ecuador (they had been arrested for theft) "after a message circulated on WhatsApp falsely accusing them of being child snatchers"

• lynching of a man in Colombia "who was falsely accused in WhatsApp messages of being linked to the kidnapping of a child"

• "rumours and fake news stories on Facebook and WhatsApp ... fomented fatal violence in India, Myanmar and Sri Lanka, to name just three"

• "WhatsApp ... has been linked to a wave of lynchings across India, often fuelled by fake stories of child abductors"

Note that in the great majority of these reports, the rumors are of child abduction (typically, claiming that the abducted children are killed).
__________________________________

False (or at least, greatly exaggerated) reports of child abduction and murder have a long, sad history.

In the history of moral panics (historical witch scares, and the like) the abduction and murder of children figures prominently. In recent times, examples include the belief that children are frequently abducted by strangers (in the prosperous countries of the West, this is very rare), or even that Satanic cults sweep up children to murder them in their rituals.

An especially nasty variant of this is the
"blood libel" against Jews, which dates back eight centuries or more.
__________________________________

A new twist on this old phenomenon, is that social networking apps get these fabrications to many people at the same time.

I suspect that this stimulates a sense of urgency and imminence which amplifies the emotional response of those who give the stories credence, more than the old word-of-mouth system of propagation would have.
__________________________________

Because WhatsApp is effective at protecting the identity of "publishers", it's impractical to identify who spreads such reports. [The story cites "ironclad end-to-end encryption" which will probably amuse some readers of this blog.]

Probably, most of them sincerely believe what they are writing, and imagine themselves to be performing a service to their community.

Of course, in suitable circumstances, this same means could be used to attempt deliberate murder of targeted persons.
__________________________________

Fans of science fiction may recall the premise of the 1950s movie "Forbidden Planet," in which nearly miraculous technology empowered the most primitive and destructive impulses of an advanced civilization.

Recent years have furnished plentiful examples in which the Shiny Promise Of The Internet met the brutal realities of human nature.

Paul CampbellNovember 16, 2018 7:00 PM

Thanks for the talk at Kiwicon, pity the collosus squid's display at Te Papa is on hold until next year

echoNovember 16, 2018 7:43 PM

I hate things like this. I also hate policies which drive people to desperation.

https://www.bitchmedia.org/article/the-dream-multi-level-marketing-schemes
Pink Cadillacs and Pipe Dreams
How Multi-Level Marketing Companies Scam Women

https://www.theguardian.com/society/2018/nov/16/uk-austerity-has-inflicted-great-misery-on-citizens-un-says

The UK government has inflicted “great misery” on its people with “punitive, mean-spirited, and often callous” austerity policies driven by a political desire to undertake social re-engineering rather than economic necessity, the United Nations poverty envoy has found.

FrankNovember 17, 2018 3:08 AM

@MarkH And in other cultures, we have virtual lynchings. Wear the wrong Halloween costume, social media erupts, you lose your job. Say the wrong word, express the wrong idea....

We are being watched by Big Brother, and he is us. That's what George Orwell got wrong in 1984, he thought the govt would be the cause of the problems, whereas it is the culture.

TimothyNovember 17, 2018 11:35 AM

Oversight.gov is a website that hosts public reports from the Inspector Generals (IGs) of U.S. Federal agencies. The website which was launched about a year ago now has reports from 70 of 73 IGs. More from MeriTalk.

A few IG reports that look interesting are the Top Management Challenges Reports for the Election Assistance Commission (EAC), the Department of Justice (DoJ), and the Federal Trade Commission (FTC).

For example, the top management challenges for the FTC in FY 2018 were:

Section I: the most serious issues

  1. Securing Information Systems and Networks from Destruction, Data Loss, or Compromise
  2. Addressing the Escalating Costs of Expert Witnesses

Section II: a ‘watch list’ of important performance challenges

  1. Development of a Risk Management Framework in Support of FISMA
  2. Acquisition Planning and Contract Management
  3. Improper Influences by Former Officials and Employees

Other report types include Audits, Investigations, Reviews, Semiannual Reports, and more.

Clive RobinsonNovember 17, 2018 11:51 AM

@ All,

I guess a few readers here remember back nearly a decade when North and West Europe air routes were closed for a week, not for terrorism but something potentially quite a bit worse "Eyjafjallajökull".

In real terms it was a relatively minor volcanic eruption in Iceland that spayed fine volcanic ash into the air. Being very similar to pumice it had an exceptionaly abrasive effect when sucked into jet engines. Hence the closing of the air routes.

But how many remember what they were saying in Iceland about that volcano and how little it was in comparison to others around it that are well over due to "pop their corks"?

We got a reminder just a few weeks ago, that the kettle is boiling under Katla,

https://www.standard.co.uk/news/world/katla-volcano-scientists-warn-huge-icelandic-volcano-is-about-to-erupt-dwarfing-2010-ash-cloud-a3943411.html

Whilst it may not be imminent it certainly looks like one to keep an eye on... But that leaves the queastion of what could happen it the cork does pop?

Well the history of the unindustrialised "Dark ages" has been recorded in Swiss ice up in their mountains and there is a lesson or three to be learned,

https://www.sciencemag.org/news/2018/11/why-536-was-worst-year-be-alive

Remembering we are over due not just one but several volcanic eruptions, some at least if not more cataclysmic than the 536 eruption in Iceland, and that many European nations now have populations bigger than that of Europe back in the dark ages. Thus things could get quite "interesting" real quick and Europe is in no way prepared for such an event (nobody ever is)...

So just how much food, water and candles do you think you might need for a half to a decade and a half of significantly depressed annual tempraturs, thus little food production etc?

Some times even experts forget what security can be all about, when Mother Nature coughs, or the Earth sneezes... As was once observed "mankind is an unsightly skin blemish on the earth".

VRKNovember 17, 2018 12:08 PM

Folks I think it's too fundamental not to get in front of, seeing its getting pushed forward.

Definitely feels like an open door to Man-In-The-Middle leverage.

ZDNET: HTTP-over-QUIC to be renamed HTTP/3

IETF: Hypertext Transfer Protocol (HTTP) over QUIC 'QUIC stands for "Quick UDP Internet Connections"'

I tried using UDP this way years ago, for their stated reasons, but Im not a network engineer.

UDP throws out the error checking that TCP has built in.

TCP Scenario:
HQ: "Soldier hold the bridge" SOLDIER: "Roger, hold the bridge.".

else

UDP Scenario:
HQ: "Soldier hold the bridge" SOLDIER: [[ sorry I'm already KIA but you'll never know that will you. ]].

Maybe I'm just twitchy because Google fielded this, but I'm going to be more careful to write my own error checking ACK. Maybe it's better as sudo-blockchain anyway? Thots?

SkizzoNovember 17, 2018 3:31 PM

Interesting documentary about the people who work for big social media censoring content according to their policies. You won't have to worry about seeing the Trump's tiny appendage in the painting as they blur that out for some reason, but if rows of lifelike ;) silicon, appendages offend you, you might not want to watch.
https://www.pbs.org/video/the-cleaners-yq8ap6/

SpaceLifeFormNovember 17, 2018 4:07 PM

@VRK

Ultimately, you have to rely on trust.

You have to trust that IP packets can and will be delivered.

You have to trust that IP packets will not be manipulated.

You have to trust the above two things.

If you can trust the reliable delivery and no packet manipulation, then, in theory, it should not matter if UDP or TCP.

But, unfortunately, neither packet delivery nor packet integrity can be trusted.

ALNovember 17, 2018 7:23 PM

@VRK
I think QUIC will be OK, because if the packets are corrupted, then the encryption won't work. QUIC is being used now with Google sites like Youtube and Chromium based browsers, and that traffic is encrypted. It can be seen in Wireshark.

Men in BlackNovember 17, 2018 8:41 PM

@SpaceLifeForm: Ultimately, you have to rely on trust. // You have to trust that IP packets can and will be delivered. // You have to trust that IP packets will not be manipulated. // You have to trust the above two things.

The technologies and applications of cryptology amd Shannon's information and coding theory are what allow us to greatly strengthen and build on an existing trust (which may only be marginal or on a best effort basis at first) to create a system with the strong guarantees that you are requiring here.

Clive RobinsonNovember 18, 2018 7:55 AM

@ VRK, and others,

You might want to add this to your QUIC reading list,

https://www.snellman.net/blog/archive/2016-12-01-quic-tou/

Whilst TCP has ossified, it's not the fault of the protocol which had upgradability built in. It's down to people not building their boxes to alow for upgradability.

In short security became dictitorial not just at the end points but at all sorts of unexpected places inbetween. So we got the "We shall only alow XXX" mentality[1] where XXX is a limited subset of what should currently be properly supported... Thus no allowance for anything they decide is "not vanilla" to their business model. Thus the ossification of TCP with the old "We don't do it because nobody uses it" excuse, leaving out the important fact that "Nobody uses it because we don't alow it"...

Much as people might dislike the likes of the Silicon Valley big player's they are in practice the only "clout" to say "Make it so" and for the people in the middle to "jump to it"... I don't like it any more than other people do especially as there is a large international "Political" component in it...

But at the end of the day it is our own fault for alowing things to get this way. Which raises the question of "Could we have stopped it?" to which the answer is "probably not" not just back then but in the future. In part because the US political structure has made it clear that they have no interest in international agreements, and will try and force where they can what they get paid to do. Thus the IP network as we know it is becoming "owned" in it's entirety in one way or another by "short term" "shareholder benifit" which is highly undesirable. This behaviour has significantly failed in the past and all signs are it will likewise fail in the future for similar reasons.

[1] We saw this nonsense in the early days of "streaming media" where you were told incorrectly that the only way was that which made thr company most money whilst also crippling networks beyond their profit point. Eventually people started to see sense but there is still a load of the old methodology still out there and will be for potentially decades to come.

Gunter KönigsmannNovember 18, 2018 12:24 PM

To my understanding UDP is TCP without the mechanism that automatically requests a new packet if a packet gets lost or corrupted. And the new Google protocol is UDP with a new mechanism that requests a new packet if a packet gets lost ist or corrupted. But with a few detail optimizations

MarkHNovember 18, 2018 3:44 PM

@Clive:

I well remember that eruption of the volcano with the (for me) unpronounceable name.

I was on the point making a long journey to meet a beautiful young lady, and the plume would have disrupted any reasonable flights to her region. (In the event, the eruption subsided soon enough to allow the trip to go forward unhindered.)

In my anxiety about the situation, I finally read Verne's "Journey to the Center of the Earth", the imagined journey of which begins in an Icelandic volcano.

Your point is well taken, about real security. An elementary concept in the analysis of gambling is expectation: reward multiplied by probability.

Security threats have a negative expectation, and sometimes the product is large even though the probability is low (or even minute).

One example that's gotten a fair amount of attention in recent years is the risk that one of the many nasty livestock-to-human viruses will appear in a form both deadly and easily transmissible via aerosols. Despite the many warnings, precautionary preparations remain minimal.

Both human nature and the typical working of social institutions are ill suited to respond to these kinds of enormous dangers, whilst at the same time enabling hysterical overreaction to much smaller dangers.

tyrNovember 18, 2018 6:32 PM


@Clive

In digging in ancient tomes I found the
Byzantine records about Krakatoa going
off in 535.
The sun only shone for two hours a day
before and after noon. In 539 Arthur
Pendragon fell in battle against Saxons
who had crossed the channel looking for
food.

Eventually all of the tribal migrations
had ceased enough for a reestablishment
of effete practices like writing history
to begin again around 900. The completely
wrecked previous civilizations never did
recover so what remained was patched
together from the remnants. The narratives
taught in school gloss over all of this
to fake a continuity that was far from the
reality.

You find the same thing when Santorini
blew. That generated the fake stories of
Moses, eventually elevated the Greek pirates
to some semblance of civilization but with
little connections to what was existing
before.

This planet can create situations that no
tech or science can save existing institutions
from. Longterm planning is not a human
virtue so most of what is cobbled together
will be swept away in the next major event.

I also think of the guy who saw WW2 coming
scanned the world for a place to avoid it
and moved to Guadalcanal based on his own
forecast.

echoNovember 18, 2018 6:38 PM

https://www.theguardian.com/politics/2018/nov/18/theresa-may-tory-rebels-brexit-deal-uk-immigration

“Getting back full control of our borders is an issue of great importance to the British people,” she will say, adding that EU citizens will no longer be able to “jump the queue ahead of engineers from Sydney or software developers from Delhi”.

Theresa never acknowledged that bad UK policy was the cause of issues with deporting terrorists. The same issue is true of immigration too. Brexit seems like the wrong solution to a problem which doesn't exist.

Nowhere does Theresa acknowledge that the EU has given many UK citizens the ability to live and work and retire within the rest of the EU.

“Control of our laws, by ending the jurisdiction of the European court of justice in the United Kingdom and ensuring that our laws are made and enforced here in this country.”

This is a symptom of the arrogance of "parliamentary sovereignity" in a country without a codified constition. Too many politicians who make up parlimaent and occupy Ministerial positions seem to believe this arrogance. I believe this makes them feel frustrated when they run up against constraints of behaviour and keep trying to make a clearly broken system they created work simply by forcing more and demanding more and not being able to accept the root cause of the problem.

These arguments have been proven time and time again within UK courts.

All you have to do is look at how deliberate underfunding of education and welfare places UK citizens at a disadvantage. It's not as if people are incapable yet are being pushed to the back of the queue in any case by her proposed solution.

The UN has produced a damning report on austerity policy which is being equally ignored by Thersea.

The prime minister will tell her audience in Greenwich: “I have always had a very clear sense of the outcomes I wanted to deliver for people in these negotiations. Control over our borders, by bringing an end to free movement, once and for all. Control of our money, so we can decide for ourselves how to spend it, and can do so on priorities like our NHS.

I believe Theresa is confusing "output" with "outcome".

gordoNovember 18, 2018 11:12 PM

TOTH to Paul Rosenzweig (As noted, the entire text is worth a read - here’s my slice):

IGF 2018 Speech by French President Emmanuel Macron

Lastly, for the reasons I just mentioned, I deeply believe regulation is needed. That is the condition for the success of a free, open and safe Internet – the vision of its founding fathers. And France is the first state to sign up to the “Contract for the Web” initiated by Tim Berners-Lee, to save this original vision. It is also the condition for democratically elected governments respecting the rule of law to protect their people. As I often say, if we do not regulate Internet, there is the risk that the foundations of democracy will be shaken; if we do not regulate their relationships with data and the rights of our citizens over their own data – access to it and sharing of it – then what is the meaning of democratically elected governments? But who better than these governments can set the law? That means that implicitly, we accept that players, on the basis of economic dominance, or that a system that has never been discussed in practical terms, would be more legitimate than a government with regard to its own citizens – perhaps only its own citizens – to say what the proper relationship with these data is! That means that the notion of responsibility with regard to citizens is to an extent worn away.


That is also why I believe we need to move away from the false possibilities we are currently offered, whereby only two models would exist: that, on the one hand, of complete self-management, without governance, and that of a compartmented Internet, entirely monitored by strong and authoritarian states. To be very politically incorrect, we are seeing two types of Internet emerge: as I said earlier, there is a Californian form of Internet, and a Chinese Internet. The first is the dominant possibility, that of an Internet driven by strong, dominant, global private players, that have been impressive stakeholders in this development, that have great qualities and with which we work, but which at the end of the day are not democratically elected. Personally, I don’t want to hand over all my decisions to them, and that is not my contract with France’s citizens. That is the self-management model, but it doesn’t really have any governance and it is not democratic. On the other side, there is a system where governments have a strong role, but this is the Chinese-style Internet: an Internet where the government drives innovations and control, where the major players in artificial intelligence are held by the government and there is much ... – I have great respect for this model, great respect. We do a lot with China, but we do not have the same democratic preferences, we do not have the same cultural references on all subjects, we do not have the same relationship with individual freedoms – that is a reality. And so in that Internet, the state has found its place, but it is hegemonic.

We therefore need, through regulation, to build this new path where governments, along with Internet players, civil societies and all actors are able to regulate properly.

https://www.intgovforum.org/multilingual/content/igf-2018-speech-by-french-president-emmanuel-macron

Cited by President Macron, above: https://contractfortheweb.org/

See also:

https://www.schneier.com/blog/archives/2013/06/more_on_feudal.html

EDITED TO ADD (6/13): There is another way the feudal metaphor applies to the Internet. There is no commons; every part of the Internet is owned by someone. This article[*] explores that aspect of the metaphor.


[*] New link to "This article":
https://www.researchgate.net/publication/279429688_Digital_Feudalism

---

That the Internet is balkanizing along fundamental political if not geopolitical lines is a foregone conclusion. If Berners-Lee's vision of the Web is to survive then democracies need to move beyond Internet feudalism and start treating the common people as more than mere commodities or numbers.

---

Regarding the lack of regulation:

What Mr. Schneier wrote in his New Book Announcement regarding cyber-physical systems applies here as well:

The regulation-free Internet that we've enjoyed for the past decades will not survive this new, more dangerous, world. I fear that our choice is no longer between government regulation and no government regulation; it's between smart government regulation and stupid regulation.

https://www.schneier.com/blog/archives/2018/09/new_book_announ.html

---

Lastly:

Where there is no vision, the people perish: but he that keepeth the law, happy is he. (Proverbs 29:18)

Clive RobinsonNovember 19, 2018 12:18 AM

@ tyr,

I also think of the guy who saw WW2 coming scanned the world for a place to avoid it and moved to Guadalcanal based on his own forecast.

I get reminded of him every timr I see something about Silicon Valley types buying land in "the last bus stop to the Antarctic" AKA NZ.

Foresight in one domain does not give by necessity foresight in another domain. Thus he saw the movment in political positions but not the changing in military tactics.

Which is yet another thing I get reminded of every time I get told of the money being put into "aircraft carriers" and their supporting vessels or "groups".

It takes no great brains to work out that air craft carriers had their 15mins of fame and usefulness back in WW2 as capital battleships did in WW1. Now in most cases the job carrier groups perform is "sitting ducks" what they do tacticaly can be more easily carried out in other ways. Thus the real question will be come WW3 "subs or IRBMs?" to nuke a carrier group out of the water... Or more likely a mixture of both.

With regards,

Longterm planning is not a human virtue so most of what is cobbled together will be swept away in the next major event.

Actually a lack of "longterm planning" is not a "human" problem as such, but can be traced back to the "export of greed" the British had started before the Tudor period. Today we call it "Western Capitalism" and the actual root cause is "ownership" culture, which can be seen as "It's mine, I will do what I want with it". There are other viewpoints one of which is "custodianship" culture, which is often seen in indigenous populations that have learnt to live within their environment and had it down to subsequent generations.

One of the reasons the US is introuble is "ownership" culture and the explotation it has given rise to. Put simply in three hundred years America has been denuded of the majority of it's natural resources and what is left has been poisoned by the denuding processes... In over a thousand years, Europe has not gone down that road as far, in part due to population density.

But there are other cultutes some have the worst of both outlooks. One such is that which has become apparent within China. It is as exploitative as the prevaling US corporate culture, but also takes the long view on securing raw resources not just for it's future use but to deny them to others.

As has been observed the most likely survivors of the next World Conflict will be cave dwelling goat herders in some remote resourcless valley...

But sometimes as was found in the dark ages "resourcless" is a relative issue. You might be a dirt poor subsistance farmer, but atleast you have a viable source of food unlike a hightech city where concreate is king and even weeds fail to grow.

PeaceHeadNovember 19, 2018 3:30 PM

The previous comment after the parenthesis "(" was supposed to read as:

I'm not promoting this site; I'm providing it for reference as a cultural phenomenon".

By the way, data holes seem to be the norm between web browsers co-installed within the same home computer system.

Men in BlackNovember 19, 2018 3:50 PM

@PeaceHead

When people talk about sex, they are charging money for it. Remember dontdatehimgirl.com which the EFF's lawyers were plugging for?

Some sort of blacklist for male personae non gratae, not quite a registered sex offenders list, but the same general sort of "list" or "database" of social undesirables or mental defectives.

A bunch of girls getting together to pursue a Nazi-like Holocaust vendetta against their ex-boyfriends, over and above all legal means of action in court.

The kind of girls who have an online dating profile, because they want the protection of an online pimp.

echoNovember 19, 2018 8:06 PM

https://www.independent.co.uk/news/uk/politics/brexit-latest-deal-introduce-id-cards-immigration-control-eu-andrew-adonis-free-movement-global-a8641866.html

It suggested the UK should do more within existing EU rules to tighten controls on immigration, pointing out that Britain is the only country in the bloc not to have a national ID system.

I don't know if this is a good idea without addressing the issue the UK doesn't have a codified constitition. The doctrine of parliamentary sovereignity and the Burkian doctrine isvery worrying from a citizens point of veiw. The UK also doesn't follow the social democractic model nor has signed up to social chapter protections.

Global Future said interviews with European politicians revealed widespread surprise that the UK had not made use of its current powers to manage free movement, as other EU countries have done.

The report accused Theresa May of interpreting the Brexit vote to mean freedom of movement must end “whatever the cost” - a move it called “a mistake”.

It suggested that British voters are not opposed to immigration in principle but want tougher action against criminals and those seen to be taking advantage of the rules. Concerns centre on four areas, the authors said: ensuring criminals are kept out, relieving pressure on public services, ensuring access to good jobs, and promoting integration.

This seems reasonable.

echoNovember 19, 2018 8:56 PM

Here are some interesting views on curiosity and emerging public policy discussion on removing snobbery from the recruitment process and how mavericks may benefit organisations.

https://www.sciencealert.com/17-science-backed-signs-you-re-smarter-than-you-realise

Tomas Chamorro-Premuzi, business psychology professor at University of London, wrote a post for Harvard Business Review in which he discussed how the curiosity quotient and having a hungry mind makes one more inquisitive.

Regarding the importance of CQ, he wrote that, "It has not been as deeply studied as EQ and IQ, but there's some evidence to suggest it is just as important when it comes to managing complexity in two major ways.

First, individuals with higher CQ are generally more tolerant of ambiguity. This nuanced, sophisticated, subtle thinking style defines the very essence of complexity.

Second, CQ leads to higher levels of intellectual investment and knowledge acquisition over time, especially in formal domains of education, such as science and art (note: this is of course different from IQ's measurement of raw intellectual horsepower)."

A Goldsmiths University of London study found that intellectual investment, or "how people invest their time and effort in their intellect," plays a major part in cognitive growth.

https://www.ft.com/content/edf9d496-e8d9-11e8-885c-e64da4c0f981
Exciting rule-breakers rarely rise through the ranks.
Big companies may want to hire mavericks but most organisations are built on rules.

One core attribute of norm-challengers — curiosity — is also “a predictor of how you make your network more diverse”, Francesca Gino told me recently. In her book Rebel Talent, about how to avoid becoming too comfortable with conformity, she cites a survey of more than 3,000 employees across a number of industries. She found more than nine out of 10 thought curious people brought new ideas, but less than a quarter regularly felt curious about their job.

https://www.ft.com/content/5cea3944-ec28-11e8-8180-9cf212677a57
Labour vows to end civil service qualifications ‘snobbery’.
Angela Rayner calls for end to Whitehall’s academic requirements in drive for parity.

In a drive to tackle “snobbery” over the reliance on qualifications and to establish “genuine parity of esteem”, Angela Rayner, shadow education secretary, will say that Whitehall advertisements for civil service jobs should only demand academic qualifications where it is a genuine occupational requirement.

“We will end the snobbery that underpins attitudes towards different types of qualification and end the assumption that academic qualifications should be a basic entry requirement for jobs in Whitehall, limiting them to where they are necessary,” Ms Rayner will tell the Association of Colleges annual conference on Tuesday.

“Government itself will lead the way in setting a clear example to other employers that a person’s skills and experience are as valuable as any particular type of qualification.”

Bob PaddockNovember 20, 2018 6:47 AM

@Clive Robinson

"...Remembering we are over due not just one but several volcanic eruptions,..."

Clive look up the 'Grand Solar Minimum' and such papers as:

"Reinforcing the double dynamo model with solar-terrestrial activity in the past three millennia"
V.V. Zharkova, S.J. Shepherd, E. Popova, S.I Zharkov - https://arxiv.org/abs/1705.04482

Zharkova recently updated her work with a video on YouTube.

The short version of it all is as the Earth's magnetosphere weakens, it lets in more Cosmic Rays.
The Muons power up the silica rich soils causing more earthquakes and volcano eruptions.
As the volcanoes put more particular mater in to the stratosphere it causes more cloud nucleation leading to the Albedo Effect.

In the end it is all based on historical cycles of the Sun.

Also look up suspicious0bservers and Oppenheimer Ranch Project that cover the science papers, history and related items each day.

Lots of security implications for those that understand the long term effects of it all.

JG4November 20, 2018 6:49 AM


@echo - I like the one about curiosity. I was able to check all of the boxes.

This looks like it is worth the trouble to critique.

https://www.nakedcapitalism.com/2018/11/another-blow-biometric-id-fairy-researchers-show-master-fingerprints-bypass-smartphone-id-sensors.html

It is said that everyones' fingerprints are different, but clearly some are more different than others.

In a mathematical language, fingerprints have Mahalanobis distances, arising from orthogonal components. How many and how finely those are distinguished is similar to how many pins there are in a lock, and how many different heights the pins can have.

To find that the tech companies used only superficial maths wouldn't exactly be a new surprise.

Clive RobinsonNovember 20, 2018 11:04 AM

@ Bob Paddock,

Was it you or JG4 I posted a link to a similar paper about the fact that the current behaviour of space weather is not what it should be?

From the close in timewise projection the Critical Frequency (f0/CF/CIF) is diminishing thus Near Vertical Incident Skywave (NVIS) mode usage is right down at or below 2Mhz or 150meter wave length, where it would normally be considered to be up above 4MHz or 75meter wavelength. Which mucks up quite a few users including inyetnational maritime and military mobile to mobile communications.

The CF is related to the Maximum Usable Frequency (MUF) Lowest Usable Frequency (LUF) and Frequency of Optimum Transmission (FOT) of any non ground wave communications.

The degrading of CF means less bandwidth to be shared and worse still less efficient antennas for the majority of users, especially mobile users.

I know people may be thinking "so what" but it also has an effect on the types and levels of radiation that hit the earths surface where humans and their live stock.and crops usually are to be found. To make it worse it appears "pollinators" like bees are adversely sensitive to this, and well over a third of our food sources are very much dependent on pollinators. Also it's been shown that the likes of spiders that usually prey off of insects that attack crops are also effected. Apparently their "local map" is based on electrical field potentials.

Thus major questions as to why we are stuck with the current low solar space activity are being asked. Thus is it caused by,

1, An internal function of the sun.
2, Local activities effecting the sun.
3, Remote activities effecting the sun.

As we don't have much information currently just some historic records it's a bit of an open question thus up for grabs research wise.

It's made more interesting in that conventional astronomical physics is not hanging in theory wise as much as we would like, and there are now a group of alternative views one of which is the "Electric Universe"[1] physicists.

That aside, my gut feeling is this extended minima of solar weather is going to be by an internal function of the sun.

[1] https://motherboard.vice.com/en_us/article/nz7neg/electric-universe-theory-thunderbolts-project-wallace-thornhill

VRKNovember 20, 2018 12:38 PM

@Gunter Königsmann,
@Clive Robinson,
@AL,
@SpaceLifeForm

Thanks re: QUIC / HTTP3 above.

If HTTP/3 does mandate encrypted packet headers to satisfy TLS 1.3, this ultimately means another "PASS" / DMZ for this traffic, it seems inevitable, which also seems to be the whole idea, allowing it directly on-board. Get this:

(warning, it's a google page: see QUIC)

"...TCP is implemented in operating system kernels, and middlebox [firewall] firmware... ...QUIC... ...suffers from no such limitations." !!!

In honesty, am I really twisting that quote? I HAVE considered aspects of "security" as being "protected from my firewall" before, just not at the level of HTTP.

Clive RobinsonNovember 20, 2018 12:43 PM

@ Bruce,

One for adding to the "gummy finger" file ;-)

https://www.wired.com/story/deepmasterprints-fake-fingerprints-machine-learning/

It would appear that fingerprint scanners are way worse than most realise, and now can not in their existing form be considered a "reliable" biometric...

Researchers at New Yourk Uni decided to apply a little AI to developing a fake fingerprint that plays to two major problems of how fingerprint scanners work (or don't ;-).

The result about a one in five spoof rate... The researchers liken it to a "dictionary attack"...

It's definitely a fun read.

Bob PaddockNovember 20, 2018 3:00 PM

@Clive Robinson

Yep, lots of Hams looking for band openings pay attention to such things.
More should pay attention to the Kp Index correlations.

Clearly the people at Motherboard spent no time reading or watching much of anything
about the Electric Universe. The home page of the Thunderbolts project is:

https://www.thunderbolts.info/

Maybe you know someone that went to the Electric Universe UK this summer?

https://www.electricuniverseuk.eu/videos/

There is also the SAFIRE Project:
https://www.electricuniverse.info/safire-project/

"That aside, my gut feeling is this extended minima of solar weather is going to be by an internal function of the sun."

Yes, that is likely the case, as it all seems to historical cycles. Interstellar and Galactic Birkeland Currents may play a role and that is one of the things the Electric Universe people are working on figuring out.

The real security issue is when all these events and theories start to have real world effects on the communications, climate, earthquakes, volcanoes, food supplies etc.

vas pupNovember 20, 2018 3:46 PM

@echo on harassment of female prison guards.
Thank for the article.
I can't understand why policy allowed male prison guards be in a prison with female inmates and female prison guards in a prison with male inmates. That against all logic and common sense, and even basics of human biology and psychology. I mean in prison environment it is very hard to suppress basic instinct. The urge should somehow channeled in acceptable way: inmate may have private time with his wife, girlfriend as reward for good behavior as alternative to harassing female guards. Reward should work better than punishment in such cases.
My memory dated many years ago, in former ussr prison camps -where most of inmates were incarcerated - were separate for male and female inmates and guards have to be the same gender as inmates. How guard of other gender could conduct e.g. body cavity search for drugs or maintain order when inmates take a shower?
I doubt that is kind of equality of employment. By the way, who conduct full body search of suspicious passenger (same gender or other)?
When there were two Germans, US service men (stationed in West Germany) very rear committed sexual crimes: they were allowed to go outside military base and had an option to contact local sex workers. In East Germany, soldiers were not allowed to go outside the base alone or in small groups without supervision, and as result there were substantially more cases of their criminal acts of sexual nature against local females during unauthorized escapes (avol).

Clive RobinsonNovember 20, 2018 4:06 PM

@ Bruce and the usual suspects,

This has come by way of UK Evening Standard "Life&Style" Journalist Mark Blunden, who I will assume either has a warped sense of humor or no security smarts...

"Crypto-King" Martin Gauer has a ~100$ solution to loosing your "bit coin passphrase" called "Phrasekeeper". In essence it is a supposadly "Fireproof" copper sheet[1] and bunch of letter punches. You punch your "oh so secret" Bitcoin passphrase that secures your Millions in a bitcoin wallet into the copper sheet so you can nicely see it....

Then after bashing your passphrase in you bolt it to your wall...

I showed it to my teenage son who rolled about with laughter and implied that those that bought one would be a "typical brainlet"...

https://www.kickstarter.com/projects/attackemartin/phrasekeeper-backup-your-crypto-wallet

I know Bruce has suggested keeping passwords on paper in your wallet, but that is not "banging it up on the wall" where every one who walks in the room will see the "Phrasekeeper" held there by four hex head bolts...

[1] Oh my experience of copper in even house fires is if it is unprotected it has a likelyhood of melting, just as Reinforced Steel Joists do... (copper at 1085C has about 2/3rds of the 1510C melting point of steel).

WaelNovember 20, 2018 4:24 PM

@Clive Robinson,

"Crypto-King" Martin Gauer has a ~100$ solution to loosing your "bit coin passphrase" called "Phrasekeeper"

At a price of $100, that "Phrasekeeper" is worth more than my total cryptocurrency worth. Have you seen the prices lately? Man! I'm gonna be working until I assume room temperature.

It's like finding a torn dollar bill and fixing it for $20. No thanks. You can have my pass-limerick ;)

Bob PaddockNovember 20, 2018 4:50 PM

@Clive Robinson

Yep, lots of Hams looking for band openings pay attention to such things.
More should pay attention to the Kp Index correlations.

Clearly the people at Motherboard spent no time reading or watching
much of anything
about the Electric Universe. The home page of the Thunderbolts project is:

https://www.thunderbolts.info/

Maybe you know someone that went to the Electric Universe UK this summer?

https://www.electricuniverseuk.eu/videos/

There is also the SAFIRE Project:
https://www.electricuniverse.info/safire-project/

"That aside, my gut feeling is this extended minima of solar weather
is going to be by an internal function of the sun."

Yes, that is likely the case, as it all seems to historical cycles.
Interstellar and Galactic Birkeland Currents may play a role and that
is one of the things the Electric Universe people are working on
figuring out.

The real security issue is when all these events and theories start to
have real world effects on the communications, climate, earthquakes,
volcanoes, food supplies etc.

Clive RobinsonNovember 21, 2018 5:11 AM

@ Wael,

Man! I'm gonna be working until I assume room temperature.

That sounds easy compared to the poor old devil, he and his Misses have to keep going stacking thrm like cordwood untill long after "Hell freezes over"...

Mind you not sure if that is lower than the temprature required to get Scottish Football (Socer) Supporters to Support England in a Football World Cup after Scottland have been ousted. Rumour has it that temp is so frosty it's way out on the otherside of absolute zero[1], beyond the negative equivalent of a supernova, so not just theoretically impossible ;-)

[1] I know of places in Scottland it's so cold even in Summer that it's claimed it's too cold for water to freeze[2]... However I'm reliably informed that absolute zero is the normall temprature in some Glasgow house holds when the old man gets back from the boozer on a friday night having pi55ed his weeks wages up against the wall...

[2] And this iis not just theoretically possible, you can see it happening in Alaska and some of the warmer bits of Canada most years.

Clive RobinsonNovember 21, 2018 9:00 AM

@ ALL,

Just a day ago I passed comment on Microsoft weakening Bitlocker security. And also wondering, now MS were getting into Linux on their systems, just how long it would be before they patched in some vulnerabilities...

Well it looks like I could have held my breath without even going blue in the face,

https://raymii.org/s/blog/Linux_on_Microsoft_Azure_Disable_this_built_in_root_access_backdoor.html

Before anyone comments on my apparent ability to see into the future, consider it more a case of "Just how bl**dy predictable Microsoft are as scr3wing the user...".

As the now very old joke has it,

    What ever the question is... The answer is not Microsoft.

Clive RobinsonNovember 21, 2018 9:45 AM

@ Bruce and the usuall suspects,

And "Today's Ouch moment" is,

https://techcrunch.com/2018/11/20/how-a-small-french-privacy-ruling-could-remake-adtech-for-good/

This is going to cause a lot of pain in a lot of places...

It apears that even --Supposed-- EU GDPR experts are anything but, might be time for many to have a rethink on their GDPR position, potentialy it's illegal in some way...

And all in time for Xmas, where online retailer's hope to hit their years targets...

vas pupNovember 21, 2018 12:09 PM

AI related:
http://www.bbc.com/future/story/20181120-what-single-word-defines-who-you-are
“We wondered what would be the minimal version of the Turing Test that one could come up with,” explains McCoy, before speculating whether it could even be captured in a single word. “Then the question was, what were the words that people would actually say?” It was this question that would ultimately inspire a research paper, published this year in the Journal of Experimental Social Psychology.

In the first experiment, McCoy and his colleague, Tomer Ullman, asked more than 1,000 participants to answer the question above and then analyzed the words they produced to find any common patterns.

Knowingly flouting a taboo and provoking an emotion might be the most straightforward way of conveying your shared humanity.

As we saw in the first study, “love” turned out to one of the most successful. But of the choices available, the highest-ranking word was “poop”. It may seem surprising that faeces turns out to be a human shibboleth, but the results suggest that knowingly flouting a taboo and provoking, rather than simply describing, an emotion might be the most straightforward way of conveying your shared humanity. Other, more colorful, terms could also spring to mind."

PeaceHeadNovember 21, 2018 4:39 PM

Don't "@" me, bro.
Thanks, for the reply.

I liked the scene with Will Smith's character helping the cephalopod person give birth.
And Hancock was a great movie also.

May Peace Prevail Within All Realms of Existence. --M.G.

Clive RobinsonNovember 22, 2018 3:44 AM

New Tech Security Threat?

We have "emergent technology" all the time, but something like 9/10ths of it disappears as quickly if not faster into the museum of "might have been".

Of that remaining 1/10th much ends up in very niche positions for various reasons, not least because it offers insufficient benifit over an existing entrenched technology to displace it. Some such as jet packs only work in some restricted environments such as space.

Going back what feels like more than half a life time ago I worked on side issues with designing ion engines. These are curious devices because you put electricity in and a source of donner material and without any moving parts you get very small but efficiently generated thrust with ions leaving at a significant percentage of the speed of light.

They would be ideal for space if it were not for the sacraficial donor material that is one part of the MV=MV equation[1]. That is even with infinately free energy you still need mass to "throw away" to get your thrust.

Because of "friction" we have all around us on earth Newton's first law of motion is counter intuative. It is also friction and similar that have made people assume that ion engines could not work in our atmosphere...

Well that was untill somebody showed that it was most definitely an incorrect assumption,

https://www.scientificamerican.com/article/silent-and-simple-ion-engine-powers-a-plane-with-no-moving-parts/

Why is this a "disruptive technology" well firstly it does not need to carry sacraficial donor material, and secondly it's effectively silent[2] which brings up a major security concern, which you can see in the last paragraph of the article.

[1] Derived from Newton's third law of motion the "equal and opposit" forces and the equation of kinetic energy "Half the mass times the velocity squared". So 0.5MV^2 = 0.5MV^2 by multiplying both sides by 2/V you get MV=MV

[2] Technically it's not silent in that bashing atoms into each other causes an energy cascade which will eventually step down to the point it produces noise we could hear but it would just sound like white noise.

TimothyNovember 23, 2018 12:08 PM

The DoD published a rule in the Federal Register today on ‘DoD Identity Management.’

The rule deals with the implementation guidelines for the DoD Self-Service (DS) Logon and the procedures for obtaining a DS Logon credential.

The published rule links to several applicable authorities, including the “DoD Personnel Identity Protection (PIP) Program.” From the Federal Register description: “This issuance establishes minimum acceptable criteria for the establishment and confirmation of personal identity and for the issuance of DoD personnel identity verification credentials.” The document is from 2016.

The DoD PIP document reviews the role of the IPMSCG (the Identity Protection and Management Senior Coordinating Group) who meets at least four times a year and, among many responsibilities, “recommends actions in the area of DoD’s biometric, smart card, PKI efforts, and other identity management technologies and programs.”

Another linked authority is OMB’s “E-Authentication Guidance for Federal Agencies.” The memo describes four assurance levels and reviews the risks and potential impacts of an authentication failure.

The Level 1 risk profile, described as “Little or no confidence exists in the asserted identity” provides several examples; here is one of them:

In some instances, the submission of forms by individuals in an electronic transaction will be a Level 1 transaction: (i) when all information is flowing to the Federal organization from the individual, (ii) there is no release of information in return, and (iii) the criteria for higher assurance levels are not triggered. For example, if an individual applies to a Federal agency for an annual park visitor's permit (and the financial aspects of the transaction are handled by a separate contractor and thus analyzed as a separate transaction, the transaction with the Federal agency would otherwise present minimal risks and could be treated as Level 1.

PeaceHeadNovember 23, 2018 3:37 PM

Please be warned that similar to attacks against Pr*t*m*l as an alternative to mainstream em*Ls, Tut*n*t*.com is also currently experiencing technical difficulties, also most likely from malicious hackers combined with regular everyday computer/browser/social woes.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.