Friday Squid Blogging: New Research on Squid Camouflage

From the New York Times:

Now, a paper published last week in Nature Communications suggests that their chromatophores, previously thought to be mainly pockets of pigment embedded in their skin, are also equipped with tiny reflectors made of proteins. These reflectors aid the squid to produce such a wide array of colors, including iridescent greens and blues, within a second of passing in front of a new background. The research reveals that by using tricks found in other parts of the animal kingdom -- like shimmering butterflies and peacocks -- squid are able to combine multiple approaches to produce their vivid camouflage.

Researchers studied Doryteuthis pealeii, or the longfin squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on March 22, 2019 at 4:45 PM • 73 Comments

Comments

Alyer Babtu March 22, 2019 6:20 PM

Has anyone demonstrated a display that uses a mechanism like butterfly “structural” color, i.e. interference effects of light passing through and reflecting in the (controllable) gap between multiple surfaces ? Might offer low power and strong color obtained from ambient light, without the “staring into a lightbulb” effect of screen illumination by backing light.

Porlock JuniorMarch 22, 2019 6:35 PM

For some months I have been mystified by the recent spate of newsworthy discoveries that some important corporation has made the mistake of keeping unencrypted files of user passwords. The mystery, of course, is not the complete obviousness of how bad that is, nor how easy it is to do better; rather, it is the complete idiocy of making such a mistake, and its prevalance among corporations that do not seem in all cases to be staffed entirely by idiots.

(I am ready to see corrections on the question of just how bad this is, and would be interested in the opinions of actual experts. I here omit my anecdotal evidence of its obviousness.)

The NYT piece by Brian X Chen on the Facebook security scandal of the day seems to imply an answer, deliberately or not, but does not carry it to its logical conclusion. The key passage: "Citing a Facebook insider, Mr. Krebs said access records revealed that 2,000 engineers or developers had made nine million queries for data that included plain-text user passwords." Please note the "or developers", and wonder whether they are all internal to Facebook.
http://www.nytimes.com/2019/03/21/technology/personaltech/facebook-passwords.html

A possible conclusion: the information was not kept securely because it was never intended to be secure. Much more convenient and profitable to let all the users' data leak to any of the 2,000 people who had access and the skills to make applications for selling everyone's private data.

I am curious whether this answer has been so obvious all along that no one has bothered to mention it, or it has been overlooked everywhere. The former seems unwise, since somewhere there is a congressperson with a at least an average IQ and the ability to follow the argument if it were presented - and the temperament to make a noise about it. The latter seems unlikely on the grounds of "If I can figure this out..."

Then again, there is the third possiblity, that I've got it all wrong. Ridiculous, of course?

RealFakeNewsMarch 22, 2019 8:05 PM

@Porlock Junior

I agree entirely. While I consider the idiom "do not ascribe to malice that which can be explained by incompetence", you do not get to be the world's largest social media company by accident.

9 million queries? Why? Did they doubt their implementation of a hash function that much that they needed to test "edge-cases" using live data? I doubt it.

That surely leaves only one inescapable conclusion?

gordoMarch 22, 2019 8:57 PM

From the Krebs' article:

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

This may be a coincidence, but Facebook's pivot to mobile began in 2012.

MarkHMarch 23, 2019 4:01 AM

Thoughts on the B737 Airliner Scandal

Though this blog and its comments usually focus on malicious intervention, I suggest that "automation gone wrong" is another important aspect of security, the hazards of which grow steadily.
__________________________________

Without delving into aerodynamics, it's important to understand that airliners have two systems to control pitch (the angle of the nose relative to the horizon). Elevator control is:
• rapid
• controlled by hand motions on a lever ("analog" input)
• limited in pitch effect

whereas stabilizer control is:
• slow
• controlled by switches ("binary" input)
• several times more effective than elevators

The difference in effect is crucial: the elevators used for maneuvering have the capacity to keep the plane in controlled flight if, and only if, the stabilizer position is in the right general neighborhood.
__________________________________

What is believed to have happened in the Lion Air crash, and likely to have been repeated in the recent Ethiopian crash, is that an automatic function called MCAS (intended, ironically, for safety) made a series of stabilizer adjustments which eventually drove the planes downward even with full nose-up elevator position.
__________________________________

There are several aspects to the safety breakdown which apparently occurred on these planes, including:
• design of the MCAS system
• coverage (or omission) in flight manuals
• flight crew training
• flight crew proficiency
• deficient certification (regulatory) process

Although there were almost surely opportunities for flight crews to save these situations, the seeming failures to respond effectively were themselves (in my opinion) aggravated by the automation design.

Note: It seems that on at least a few occasions, the same type of MCAS malfunction occurred without accident because flight crews responded timely.
__________________________________

To give one example of how MCAS design was dangerous: a much older safety system affecting pitch control (often called a "stick pusher") literally exerts a quite strong force on the yoke in the pilot's hands (at least, when not in autopilot).

This design (more than half a century old) had two great safety advantages: first, the pilot would immediately feel the effect of the system intervention; and second, the pilot could immediately override the intervention (if s/he judged it inappropriate) by physically pulling on the yoke and overpowering the "pusher." It's a sort of "right-brain" remedy.

By contrast, MCAS adjusts the stabilizer without making any noise other tactile/auditory signal (at least, as far as I have been able to learn). When MCAS engages inappropriately, pilots must puzzle out why the plane is responding abnormally, process visual inputs in the cockpit, and reason through a "left-brain" process in order to diagnose the problem and respond effectively.
__________________________________

The existing MCAS design bases its actions on values measured from one type of "air data" sensor on the aircraft. The present hypothesis is that the observed MCAS anomalies occur when this angle-of-attack sensor malfunctions.

In essence, the MCAS makes correct responses to a false assessment of the aircraft state. Obviously, the system design has (in effect) a single-point-of-failure vulnerability.
__________________________________

Reports of a Boeing internal assessment of MCAS problems disclose several significant findings:

1. The actual MCAS range of pitch adjustment is about 4 times as great as the range on which the Boeing safety analysis was based.

2. The analysis was based on a single incorrect pitch adjustment by MCAS, and failed to account for a scenario in which after a while MCAS would effectively reset, and iteratively repeat the incorrect adjustment, leading to cumulatively large stabilizer mispositioning.

3. At the assessed level of criticality for MCAS, its design should not have relied on a single type of sensor as input.

Ergo SumMarch 23, 2019 5:59 AM

@MarkH...

Nice summary, thanks...

The 737 MAX has a design flaw, wherein the airplane’s center of gravity is permanently unstable. The larger, more fuel efficient engines are moved closer to fuselage. In addition, to meet ground clearance requirements, the engines are moved forward and higher on the wings. The article below explains this pretty well:

h**ps://graphics.reuters.com/ETHIOPIA-AIRLINE-CONTROLS/0100916V1NZ/index.html

The end result is a plane, that can stall, in another word lose lift. The MCAS is intended to keep the plane in balance to prevent stalling.

The end result, with all of its faults, is clearly on BOEING and to a certain extent on the FAA. In 2005, FAA changed how the airplanes are certified by allowing BOEING and others to certify their own planes. The FAA had been relegated to review and approve the manufacturer's documentation. The 737 MAX had been the first airplane that had been approved by FAA based on the new certification process, in 2012 or 2013.

The optional "security add on" included warning light for malfunctioning sensor and MCAS. Like most "add-on", it's an additional cost for airlines that some of them did not opt for. The main reason being, that they did not know much about the impact of the MCAS and unfortunately, neither did some of the pilots.

While BOEING and FAA are responsible for the end results, the pilots are not entirely innocent either. It's hard to understand how pilots would not learn the in and out of the new airplane and it's controls. The lack of appropiate training is part of it, but if you are a pilot, it isn't just the passengers on the plane whose life is at risk. The life of the pilot is at risk too.

Automation going haywire is a fact of life everywhere, it isn't necessarily the fault of automation. Humans are just as much at fault for not knowing how to correct the faulty automation at hand.

JamesMarch 23, 2019 7:41 AM

@MarkH, Ergo Sum:
Boeing was clearly aware of those problems, but they heavily underestimated them. They even had the "AOA disagree" system, but it was optional as it was the pilot training.
I am sure that if the pilots did have the proper training they would have handled the situation. It's not the first time that faulty (or even working as intended for that matter) automation combined with lack of pilot training led to accidents, and unfortunately it won't be the last ... Not to mention most flights are fully automated and most pilots don't really know how to fly "manually" or how to react if the automation fails.
Now the "AOA disagree" warning system will be default instead of optional, and pilot training will be mandatory. Too late for the 300+ souls though ...

HumdeeMarch 23, 2019 9:13 AM

The design flaw in the MAX is that it requires any flesh and blood pilot at all. Stop trying to train around human limitations and let the software do all the work--safer, faster, cheaper.

Boeings mistake was that it wanted to offload some flight deck responsibility to the children of the magenta line. Unsurprsingly, some of them biffed their task. Plane crashes.

Stupid humans. Stupid Boeing.

JamesMarch 23, 2019 9:32 AM

@Humdee
Pilots can't learn something if they don't know they are supposed to learn it. As i said, it was an overlooked piece of hardware/software. They heavily underestimated the MACS importance, after all it wasn't a system that controls the toilet lights, but a critical system in aircraft maneuvering. To fly a commercial airliner you need a type rating that's not easy to get nor cheap. It's not like you can buy or rent a 737 MAX and play with it. If more importance would have been given to the MACS system it would have made a huge difference.

FaustusMarch 23, 2019 9:44 AM

Facebook knows very well that people reuse passwords. It seems likely to me that facebook used these passwords for further data harvesting. And some percentage of their "developers" must be hackers. What a bonanza for them.

Facebook's concern for users is closest to their concern for a lobster they are about to throw alive into boiling water and eat, all the while commenting: "Dumb lobster!"

"But all my lobster friends are on facebook! Where will I find another company to treat me like an insensate piece of meat if I am not an facebook?" Baah!! Baah!! Which are you? A sheep or a lobster? With genetic engineering you can soon be both! Don't worry it's totally safe, just like O*ycont*n and thalidomide.

The human animal may be a smart predator, but it is dumb prey.

JamesMarch 23, 2019 11:10 AM

@Faustus: Facebook is exploiting an infinite resource: human stupidity, and they do it very well. I don't know which is more stupid: sharing your most intimate stuff with an entity that you know will share it with others or just mishandle it, or complaining when this eventually happens ? But hey, people have nothing to hide ... I am certain that if Facebook would somehow disappear, a lot would become suicidal. I still don't get it, if you willingly share stuff and have nothing to hide, why bother when Fabebook f..s up ?

JamesMarch 23, 2019 11:17 AM

A correction to my previous post: by "stupid" i don't mean companies that promote themselves on Facebook or people that actually make money out of it. I mean those that share just for the "look at me".

bpaddockMarch 23, 2019 11:23 AM

If the background Gravity Field of Earth is measured and known, then doesn't that mean that any moving mass, even if optically cloaked or undersea like a Sub, would be detectable?:

Taking gravity from strength to strength March 20, 2019, European Space Agency.

Then we add Sound by the Pound: Surprising Discovery Hints Sonic Waves Carry Mass; Some sounds might possess a tiny but measurable amount of negative gravitational mass. So now Sound has (negative) mass, by extension the sound could be listened to from Space?

1&1~=UmmMarch 23, 2019 12:07 PM

@Bob Paddock:

"doesn't that mean that any moving mass, even if optically cloaked or undersea like a Sub, would be detectable?"

Yes and no, you have the single-v-multi sensor issue.

Put simply untill recently you detect mass by it's effect on other mass, part of that is the distance between the two masses. If you have your sensor mass indicating a 'mass at a distance' then the distant object can trade mass with distance from the sensor mass and it would not detect any change.

Thus with rockets for instance with most of their mass being fuel it might be possible to design it so that a war head could get in effective range before there is any significant mass movement directly to wards the sensor mass detected.

You have similar issues with passive range detectors that use just signal strength. If the transmitter knows where the range detector is it can change it's signal output level accordingly. It can also easily fake the Doppler shift for a single sensor as well.

It's why you should always have a long base line approximately orthagonal to the target with multiple sensors and move atleast one of them in an apparently random manner known only to the sensor operator.

Whilst it might appear academic you can turn things on their head. If your drone only has one GPS antenna then it's vulnerable to a form of fairly simple spoofing attack. Where you pick up the signals at a remote antenna and rebroadcast them at the drone, if your signal is stronger at the drone then you win. It's a little bit more complicated but in essence thats what you do.

1&1~=UmmMarch 23, 2019 12:28 PM

With regards the squid camouflage,

"The research reveals that by using tricks found in other parts of the animal kingdom -- like shimmering butterflies and peacocks -- squid are able to combine multiple approaches to produce their vivid camouflage."

I can see it 'coming to a tank near you', real soon now, or atleast a very big research grant from DARPA or similar.

Mind you it might be fun to have a Dinner Jacket made out of it, it would beat 'the men in white' suits of the film industry ;-)

Sherman JerroldMarch 23, 2019 2:29 PM

FEMA (u.s. Federal Emergency Manglement Agency) is a disaster in itself, security and otherwise. It has always had a clueless muddled organization incapable of effective aid with leadership that has always been ignorant or malicious, but under the current admnistration, it is now completely underfunded and incompetent. It just "exposed more than 2 million wildfire and hurricane survivors to identity theft and fraud".

https://thinkprogress.org/fema-wildfires-hurricane-disaster-survivors-id-theft-d3f5654fdc37/

OMG

VinnyGMarch 23, 2019 3:40 PM

@Sherman Jerrold re: FEMA breach - Just want to point out that most decisions in Federal bureaucracies are made by career bureaucrats whose tenure span multiple political administrations. With some exceptions, policies with respect to such criteria as security of data are also evolved and administered over the long term. As much as I despise Trump & co, I think it would be a mistake to attribute the dysfunction of FEMA in general, and the lack of planning and diligence leading to this breach specifically, too predominately to the current administration. That might be emotionally satisfying, to an extent, but inaccurate attribution will tend to hinder solutions more than to promote them.

JamesMarch 23, 2019 3:43 PM

Well in my opinion a Federal screw-up is way worse then a Facebook screw-up.

VinnyGMarch 23, 2019 3:59 PM

@James re: 737 MAX "Not to mention most flights are fully automated and most pilots don't really know how to fly "manually" or how to react if the automation fails."
This to me is a huge problem in and of itself. The first question that occurred to me as I read of these crashes was of how bad an aircraft design could be for its designers to believe that pilots were incompetent to correct likely flight anomalies, and that the corrections should be taken entirely out of their hands. I'm sorry to say that your statement rings true in that regard. Automated systems will sometimes fail; critical automated systems will sometimes fail catastrophically. Automated systems require human monitoring at some remove (the degree is certainly subject to debate.) To just flat out ignore that need in the interest of development resource economies is, and will continue to be, a recipe for disaster(s) I expect similar outcomes if (when?) US DOT begins allowing autonomous vehicles to share highways with human driven conveyances without sufficient testing with a human present and capable of overriding mistakes. At least the per incident carnage in those cases should be smaller in magnitude.

JamesMarch 23, 2019 4:20 PM

@VinnyG:
I don't think the 737 MAX is actually flawed by design (just an opinion, i only have a PPL-A SEP, hobby license, what we're talking about here is on a whole different level). The fact they did not change the training to include this particular system is outright stupid, especially since (from what i have been reading) some pilots did complain. Allowing a single point of failure (one AOA sensor) for a critical system is also stupid.
Take the B2 Spirit for example, the available public info, it's impossible to fly that plane by hand. Most critical systems are handeled by computers. But at a 2Bn price tag, i bet those pilots know every nut and bolt on that plane.
It's not the first time a piece of automation designed to save your live ends up killing you, unfortunately it won't be the last ...

JamesMarch 23, 2019 4:27 PM

Anyway aviation is still safe. You have more chances of getting killed on the way to the airport (or being bored to death while waiting in lines for check-in, security check, delayed flights etc) then on the actual flight.

HumdeeMarch 23, 2019 5:23 PM

"with a human present and capable of overriding mistakes. "

The lives a pilot saves has to be measured against the amount of deaths he causes. Human pilots do more harm than good. Pilot error is the #1 cause of airline incidents reported to the FAA.

Will automation prevent every possible accident? No. But that is the wrong metric. The right metric is if automation will saves more lives than deaths it causes. And it will because it has. 80+ years. The evidence is in.

Get the pilot out of the plane. Permenently.

PoimenantlyMarch 23, 2019 5:56 PM

"Get the pilot out of the plane. Permenently."

You can't even spell it!

JamesMarch 23, 2019 6:10 PM

@Humdee: Let's agree to disagree. Remember that all our tech is made by humans. Indeed human error accounts for the better part of accidents. However, if you break that down, human error not always equals pilot error. Remember, automation is also made by humans. If a pilot fails, he crashes his flight. If an engineer fails, he crashes several flights, until the investigators catch up on the flaw. Most of the times an air crash is not caused by one single failure, but by a cascade of failures, human, mechanical, logistical or otherwise. It's a system strong as it's weakest link. You could conclude that the 737 MAX fiasco is technically human error, but not really pilot error. Human pilots saved the day on several occasions, they complained to the airlines "hey, this bird is doing something it wasn't supposed to do, and that isn't in the SOP" and they were ignored. Human error indeed, but not pilot error, until proven otherwise. I agree in our day is illogical to hold the yoke in your hand for a transatlantic flight when an automated system can hold your track / FL / etc, however i want a trained pilot in that cockpit not a computer.

1&1~=UmmMarch 23, 2019 6:25 PM

@James:

"or being bored to death while waiting in lines for check-in, security check"

Scarily you are actually more likely to die of a disease you picked up from one of the other people in the line... TB and similar are on the rise in part because of changes to the security arrangements and health care standards are dropping (hence the US now has a falling average age of death).

So next time you are standing their watching the dust in the air, remember that somebody probably coughed it their along with another half million or so other aerial contaminates you can not see but are breathing in, and one just might have your name on it...

JamesMarch 23, 2019 6:37 PM

@1&1~=Umm
Yeah forgot to mention that. However i take the recommended vaccine shots so hopefully i'm safe on that side ...

1&1~=UmmMarch 23, 2019 7:00 PM

@Humdee:

"Pilot error is the #1 cause of airline incidents reported to the FAA."

I'm aleays cautious of 'pilot error' when the person is not there to defend themselves, especially when auto pilots are involved.

Often it is easier to blaim the pilot than say we have to little evidence of what actually went wrong.

In the UK some years ago a Chinook helicopter flew into the ground in scotland when carrying quite a few anti-terrorism experts. The military enquirey was decidely deficient and the pilots who were dead were blaimed. A group of people carried out their own investigation and showed the enquiry to be the travisty it was. Eventually the military had to climb down and admit that actually the most likely cause was not pilot error but as the result of a software upgrade.

This prompted others to make their own investigations and an inyetesting statistic came to light. The likely hood of a pilot being blaimed was quite a bit different if the pilot was a survivour.

So I'd treat the pilot error findings when the pilots are dead as being a 'lift the corner of the carpet' excercise on behalf of those investigating.

That said I've long believed that automated systems are both more consistant and more reliable than humans.

The problem is that automated systems lack much of the awarness an alert and experienced pilot has when it comes to any one of a million or so errors. The engineers who design those systems work with 'what is known' not what is unknown. Thus any new type of failure is going to be unknown to the system and stay that way untill the software goes through an update, extensive testing and an eventually slow roll out around the world. This leaves a large window in which things can further go wrong.

But yes like you I want to get the pilot out of the airplane, but only when the system is sufficient, which currently they are for uneventful flights but the eventful flights no not yet not by quite some way.

JamesMarch 23, 2019 7:06 PM

@1&1~=Umm best comment yet. I could not have said it better myself. Sometimes (unfortunately too many times) it's easier to blame the dead. They can't defend themselves, they don't care ... Occam's razor sometimes works, but most of the times it doesn't especially not in our day ...

MarkHMarch 23, 2019 8:03 PM

@Ergo Sum:

Thanks for the link to the explainer, which is done quite well (as usual for Reuters). I see that these planes still have trim wheels, so I stand corrected that stabilizer controls are only binary -- the switches on the control yokes are simply up/down, but the trim wheels are "analog style."

I would not say that the engine configuration change on the MAX introduced instability ... "unstable" has a quite specific meaning in aviation. Rather, I would call it an unusual handling characteristic.

Aviation has a long history of automatic systems to counteract both tricky handling characteristics (which I believe exist in one form or another on all airliners), and actual instability. Until now, these were designed in thoughtful ways that minimize any trouble to the flight crew.
_______________________________

The beginning of the Reuters article explains how "yoke jerk" shut off the automatic trim system in older 737s. This is a great example of the old Boeing design philosophy: the pilot's natural and intuitive response to aircraft misbehavior disables the automatic system.
_______________________________

My interest in this type of aviation accident dates back to the early days of Airbus super-tech airliner design, when I read an account of a fatal crash which occurred (as I recall) in Asia.

In that case, the flight crew had accidentally set the "mode" of their highly automated plane for takeoff, when in fact they were in the landing phase.

The Airbus automatic control system kept winding in nose-up stabilizer, in response its observation of descent when it expected to ascend. The pilots reacted by pushing their joysticks forward, in an effort to keep the nose down. This continued until the stabilizer angle was so great that even with full down elevator, the jet stalled and crashed.

In Boeing designs of that era, the pilots' assertive control inputs would have switched off automatic trim ... but in the Airbus, the pilots needed to understand that automatic trim was the cause of their troubles, and then push a button to disable automatic trim.

I was horrified by this vision of the doomed aircrew in a losing battle with an automated system which was fighting against them.

My takeaway, was to NEVER allow automation to wage an extended tug-of-war against the human pilots. [Another example of getting this wrong was Toyota effectively preventing drivers from shutting off the engine in response to stuck throttle.]

A reasoned case can be made for removing people from vehicle control loops. But as long as they are there, allowing the computers to override the pilots is a lousy policy.
______________________________

A family member who long worked as an aerodynamicist at Boeing explained to me (many years ago now) that as long as Boeing retains its ideas about flight controls, they would never replace the cockpit yokes with Airbus-style "sidesticks" (similar to gaming joysticks).

It's really a shock to me, and very sad, to learn that Boeing forgot how to incorporate the pilots' natural, tactile responses as a cornerstone of flight control safety.

JamesMarch 23, 2019 8:30 PM

@MarkH

Yeah, automation is supposed to warn you if you do something stupid, and to help you. The point is that the plane maker and airline teaches you about all those details. Not knowing those it's like having an evil twin in the cockpit that pushes the yoke down "just because". As an analogy, is like driving a car on the freeway and someone just turns your steering wheel right or left.

JamesMarch 23, 2019 8:49 PM

The 737 MAX problem is not easily attributable, is a systemic fault. You can't blame it on a specific person/company/issue. Can't blame it on Boeing, can't blame it on the FAA, can't blame it on the airlines, can't blame it on the pilots. We made a very good and efficient plane, but it's a bit harder to fly. Oh well, forget about it, it makes us money, why not ? How hard can it be to fly it ? and so on. Everybody has cut corners here, not just Boeing, not just the FAA , but everybody. Systemic fault. Too bad 300+ people had to die.

Rach ElMarch 24, 2019 12:39 AM

1&1~=Umm

James:

Scarily you are actually more likely to die of a disease you picked up from one of the other people in the line.


Valuable travel tip,to accompany para cord for shoelaces, fishing line, candles and polished tobacco tin lid for signaling.
Eucalyptus essential oil. quality kind that comes in a 10ml vial, not the supermarket variety. Or oregano oil essential oil. Even better is the medicinal oregano oil designed for internal use (which essential oils are not)as its doubly effective taken internally.
a tiny amount on a tissue inhaled occasionally is a life saver on aeroplanes, and queues such as those described. Of course the Met and the Tube.

ismarMarch 24, 2019 12:49 AM

Just wanted to share , what I thought was a very well thought out email from one of the service provides I have an online account with, regarding a recent data breach they encountered on their system.

"Hello Kanopy Community:

I wanted to send you one final note with an update from my email yesterday, regarding the recent security incident we experienced at Kanopy.

We have hired a leading forensics firm to assist with our ongoing investigation and continue to gather more specific information. During the incident, some of our web logs were made available, showing users’ IP addresses and associated activity. While this is unfortunate, we have no evidence to date that this information has been used maliciously and, upon learning of the incident, we immediately secured all of the data on our system. At this time, there is no required action for you to take.

For a five-hour window during the incident, it may have also exposed data from 162 accounts – a very small subset of our total user base – containing users’ registered email address, Kanopy password, and in 82 cases, the public library account number. We have terminated the passwords for the known impacted accounts and have contacted those individuals via email so that they can take steps to reset their passwords. If you did not receive an email from us asking you to reset your Kanopy password, then we do not believe that your account was impacted.

Our investigation into the full scope of the incident remains ongoing, and, when more information is available, we will advise the impacted individuals as appropriate.
We take the privacy and security of your personal information seriously and we apologize for any inconvenience or concern this may cause. "

1&1~=UmmMarch 24, 2019 4:19 AM

@Rach El @James:

"Eucalyptus essential oil. quality kind that comes in a 10ml vial, not the supermarket variety. Or oregano oil essential oil."

Yes some essential oils do have antibiotic properties whilst others astringent properties, by which they protect themselves from microbes of various kinds (even real maple syrup has some if you don't cook them out). But... some also have protections against larger organics that munch thus they have poisons for us 'meat sacks'

Eucalyptus smells nice and can even make bad tempered Koalas appear more cute. However the reason for both their cuteness and bad temper is what they eat and the high levels of cyanide it contains. Whilst nearly ever tree that produces 'pitted fruit' generates some level of cyanide, they tend to localise it in the pits (stone kernels/seeds) the Eucaluptus puts it in the leves and other places as well along with it's high calorific oils. If you ever have the misfortune to be near a Eucalyptus when it burns you will find it burns hot and vigorously.

But it's not just trees many carbohydrate rich plant tubers also contain cyanide or other poisons some like cassava can have low quantities in some varieties and can have the cyanide simply processed out to a safe level, whilst other almost the same looking varieties can not... Look up 'Death by cassava' to see why you realy should listen to old grannie tales. The same is true for potatoes, tomatoes and rhubarb all of which you would have found in British gardens.

Contrary to what some says about security attacks not getting worse with time, food security is in part bassed on knowledge, and the knowledge is not getting handed down from generation to generation any longer. What I learnt about 'green potato' and various beans like 'kiddney beans' is not getting taught to most children.

But it's not just food security, ICT Security appears to suffer with mistakes endlessly repeated, a sure sign people are not learning from yesterdays mistakes.

And now the lack of 'past knowledge' mistakes have 'Physical Agency' and are killing people. The software industry in particular needs to get a grip on it's self before the politicians are forced to act, because in this century they tend to over react and 'kill the golden goose'.

Sigh...March 24, 2019 5:26 AM

Comments on the 'quality' of my country's BSc Infosec courses

For the last couple of months, I've had the company at work of someone who did my country's officially sanctioned "Whitehat hacker" BSc programme. He can do penetration tests and the like, and has learned a lot about security (or so he thinks).

I've been less that impressed with his knowledge and especially his description of the courses:

  • Almost exclusive focus on modern Windows and (Ubuntu) Linux. Macs are completely glossed over, security-oriented Linuxes are mentioned in passing (but no real experience) with the caveat that NONE of the Linuxes often mentioned on this blog are taught, other OSes are completely not mentioned, no knowledge of Unix history, no knowledge of differences between Ubuntu Linux and other *n*xes - and anything that isn't Windows or Ubuntu-derived apparently sucks.
  • Very strong focus on security through obscurity (that pretty much damns it all).
  • No clue where to find things on the internet that aren't part of the curriculum.
  • They teach about the Dark Web, as well as the more popular protocols (HTTP(S), FTP, Windows-exclusive shit...). Nothing about Usenet and other older protocols. Nothing about the less well-known seedier parts of the internet (e.g. Imageboards such as 4chan).
  • They are told about Hacker News...and that's pretty much it. Places such as security blogs and other things that might at occasion skirt my country's official position on what people may or may not do on the internet are unknown (and can't be found because they were told not to look for them).
  • Thinking out of the box is out of the question.
  • Lots of focus on all kind of gadgets and iot stuff, lots of focus on modern approaches, close to zero background knowledge.
  • Very limited methodological knowledge that would be very helpful on figuring out why things go wrong or don't work straight away.

The result is a security researcher who doesn't seem to understand the essential parts of being a security researcher, simply because he was not taught how to be properly curious (or rather: it was partially extinguished during his education). Suggestions on where to find stuff are often ignored for the sole reason of "I've never heard of that, can't be good.", while anything he finds on his own must be good (without really looking into it). He makes a lot of avoidable errors as a result of this. Also, I didn't know that a good way of "hardening" a system was to install it with all possible optional software packages...

Much of this also generally applies to University level IT here...gods, it's bad. And the people that come out of it have no clue how bad they are.

WisdomMarch 24, 2019 9:45 AM

"Much of this also generally applies to University level IT here...gods, it's bad. And the people that come out of it have no clue how bad they are."

All these people who have no clue how bad they are will in the near future be given the reassuring name of "public interest technologist."

Zero2ZuluMarch 24, 2019 12:00 PM

Cam0 and invisibility, core to comp sec. Let your atttacks be undetected, and catch the unprotected attacks foremost. Profile zero day has been possible for long time. eEye days. Sig based security only is not enough, and should be third layer, not second or first. I think you guys may puzzle this one out. Or not.

Zero2ZuluMarch 24, 2019 12:04 PM

Where's Clive when you need him. j/k. ;-) Hard work, like me, I am sure.

hitchcock films ftw, and kubrick

albertMarch 24, 2019 1:04 PM

@James,

"...The 737 MAX problem is not easily attributable, is a systemic fault. You can't blame it on a specific person/company/issue...."

The -accidents- were systemic faults, the -blame- rests -entirely- on Boeing.
..

@Anyone,
1. Some aircraft -cannot fly- without very sophisticated Flight Control Systems; the 737MAX is -not- one of them.

2. The human brain is quite capable of making split-second decisions in an emergency; pilots often have only seconds to do that.

3. We are quickly reaching the point where pilots are being overloaded with data regarding the behavior of the FCS, especially the human/machine interface. If they encounter FCS anti-stall behavior during takeoff, they don't have time to review a checklist, folks are gonna die.

4. Extensive use of autopilot can result in complacency in the cockpit. Modern FCS can takeoff, fly and land by themselves. This gives the technologists the idea that pilots can be eliminated. It's already happening in the automotive sector.

I'm not usually a fan of retribution, but some cases call for it. Class action lawsuits merely scratch the surface. Jail time might be more appropriate.

. .. . .. --- ....

1&1~=UmmMarch 24, 2019 5:12 PM

Have you got a Medtronic implanted medical device in your chest?

If it's a defib you might want to read this,

https://www.theregister.co.uk/2019/03/22/medtronic_implanted_defibrillator_hackable/

This is not the first time implanted medical electronics in peoples chests have come up on this blog. In fact the security of them and smart meters appears ludicrously low at the best of times.

In this particular case the manufacturer is in effect claiming that everything is fine... In effect 'Security by obscurity' is what they are relying on.

I have a Medtronic 'MyCareLink' patient monitor in a box down by my work bench that I've been meaning to fire up and have a play with. Maybe I should get it out for a laugh or three ;-)

VMarch 24, 2019 5:32 PM

I recently had a heartening experience at work. I'm forced to work with a Windows machine, and eventually I got tired of the 'upgrade Java' prompt, so I let the update start. After a bit of grinding away, a window appeared, approximately saying "It appears you have not used Java for over 6 months. Would you like to just delete it?" What?? Oracle doing the right thing? Somebody hold my hand; I'm going to faint.

JamesMarch 24, 2019 6:27 PM

@albert:
"The -accidents- were systemic faults, the -blame- rests -entirely- on Boeing."
no, it does not. the blame rests on everybody in the chain, that is why it's not easily attributable.

65535March 25, 2019 11:14 AM

@ Andy Fletcher

"[1] Clive, I really hope you are OK, it has been a while since we last saw you on this blog."

I have a feeling that Clive is fine. But, I am not really certain about that. All I can say is 1&1~=Umm

I don't know what happened to him. /

albertMarch 25, 2019 11:31 AM

@James,

Well, simple logic dictates that if Boeing hadn't %@#%&^# royally, none of these accidents would have happened.

I suggest that you go back and read the @MarkH, @Ergo Sum comments again.

. .. . .. --- ....

vas pupMarch 25, 2019 2:09 PM

Those two articles important to human factor in security, the second in particular related to necessity of privacy as well:

http://www.bbc.com/capital/story/20190321-in-defense-of-corporate-buzzwords

"I don’t really think I believe that ‘business speak’ exists,” he says. “We’re all the same species of bipedal mammal.
[!!!!}Putting business suits on a bunch of hairless primates and putting them together in an office block doesn’t really change them much. [The way] they will tussle, rival each other, look for leadership, listen to each other, pick up words and phrases will evolve from each other.

New York City-based executive coach Alisa Cohn agrees. “We are tribal animals, and there is something about jargon that marks us as insiders ­– one of the tribe ­– [who] will be protected and not eaten in the event of an attack by tigers.”

Cohn hears a lot of jargon in her line of work, and even has her own favorite words: ‘ecosystem’, ‘swim lane’ (aka scope of someone’s job) and ‘peanut butter the raises’, which she says “means spreads evenly like a peanut butter sandwich”.
*****

We’re told that lying is always the worst option, but that isn’t always true.

http://www.bbc.com/future/story/20190324-what-if-we-knew-when-people-were-lying

"For Chidi and some other philosophers, the obligation not to lie trumps all other moral imperatives, including not hurting someone’s feelings. Few people actually adhere to such a strict prescription for honesty, however. Lying is an accepted part of daily life, from our automatic response of “good” when asked how we are, to the praise we give when a friend asks if we like her awful new haircut (or pair of boots).


Yet despite the ubiquity of lies in our lives, most of us are not very good at detecting deception. What would happen, though, if we could suddenly tell, without a doubt, when we were being lied to? The technological or psychological mechanism that would enable this impossible new skill is not worth dwelling on. Instead, what matters is what it reveals about the often-overlooked and underestimated role lying plays in our lives.

Many researchers believe humans began lying to each other almost as soon as they invented language, primarily as a way to get ahead. “Lying is so easy compared to other ways of gaining power,” Sissela Bok, an ethicist at Harvard University, told National Geographic. “It’s much easier to lie in order to get somebody’s money or wealth than to hit them over the head or rob a bank.”

Throughout human history, lying has also served as “an evolutionary necessity to protect ourselves from harm,” says Michael Lewis, a distinguished professor of paediatrics and psychiatry at Rutgers University. This includes protection from persecution – a purpose that lying still serves today for many people around the world. If we could suddenly detect all lies, lives in countries where infidelity, homosexuality or certain religious beliefs are illegal could be put at risk.

Lying also benefits us when the stakes are less high, including at work. If we told our boss what we really thought of him, or why we actually didn’t make our deadline, we might be fired or demoted. We also lie to make ourselves look better and maintain an air of professionalism. “Recently, I was late to a meeting, and I just said the subway was slow,” says Kang Lee, a professor of applied psychology and human development at the University of Toronto. “In fact, the subway didn’t delay me – I was just late because of my own fault – but I don’t think it would be good for me professionally if my colleagues could detect this.”

We’d also have more hurt feelings. For most of us, a world without lies would deliver an immediate blow to our self-image, says Dan Ariely, professor of psychology and behavioral economics at Duke University. “Living with the truth means you would get more honest, brutal feedback about your work, the way you dress, the way you kiss – all kinds of things like that,” he says. “You would realize that people don’t pay as much attention to you and you’re not as important and highly qualified as you think you are.”

Children themselves learn the social value of lying from a very young age. “Mom might say to the child, ‘Listen, grandma is going to give you a present for Hanukkah, and you’ve got to tell grandma that you like it, otherwise it’ll hurt her feelings,’” Lewis says. By the age of three or four, studies show that many children have mastered the art of the polite lie.

Indeed, in terms of interpersonal relationships, “it would be an utter disaster if we could in fact detect lying and deception,” Lewis says. “Lying is a total and complete necessity in a culture in which the moral understanding is you don’t want to hurt the feelings of other people.”

most people said they engaged in dishonesty in order to avoid hurting their partner or damaging their relationship. If romances suddenly involved total truthfulness about everything from the way our partner looks in the morning to whether we ever engaged in infidelity, many relationships likely would not last.

“I like to joke that the reason my wife and I have been married 40 years is because we have separate bathrooms,” Ekman says. “That’s only partially a joke, though, because there’s things you don’t want people, even your spouse, to know about – and it isn’t just bathroom behavior.”

It's impossible to predict all the ways we would benefit and suffer if all lies were laid bare, but what is for certain is that the world would be a very different place to the one we live in today. Humans, however, are adaptable, and “over time, we would develop new norms and acceptable codes of social conduct,” Bakir says.

At the same time, she continues, we would likely do all we could to develop new ways of lying and deceiving each other, whether through technology, drugs, social behavior or mental training.

Kang agrees. “I’m 100% certain we’d continue to deceive each other somehow, we’d just find a different way to do it. It’s a life necessity.”

My take: sometimes small lie is better than big scandal.


1&1~=UmmMarch 25, 2019 5:26 PM

@gordo:

"Newly Disclosed NSA Documents Shed Further Light on Five Eyes Alliance"

If you look back far enough on this blog you will find posts on both the BURSA (original name) and UKUSA (later name) agrements as they became 'officialy' public knowledge.

It's clear from those that various people had made earlier posts outlining much of what was under the agrements.

What the author of the article apparently does not realise is that the British set up the agrement in exactly that way, very specifically to their advantage. Even now the UK is still in many respects the dominant partner on policy and many operational asspects.

The original British idea was that the US did the manufacturing of equipment for the British, as well as providing technical staff at the lower layers. The British however would bring to the table what the US lacked and still does which is 'access'to satellites and cables. Part of the reason the US is fighting hard to keep the US the 'hub of the internet' is to try and remove the strangle hold on access the UK has via Australia, Canada, and New Zeland.

What few realise and the NZ Premier found out the hardway is they do not run their SigInt agencies and the agencies have no allegiance except in 'lip service' to their elected Governments and the citizens. Put simply the UK and to a lesser extent the US that run the show as an unalined entity responsible only to it's self. The UK usually setting the stratigic direction and the US implementing it. Even though 9/11 caused a major shake up of the US IC it had very little effect on the UK-US SigInt relationship. In part it's because of this that the questions about secondments of UK personnel in various key areas are being asked, but mainly ignored. Because it's actually not in the interests of either the US or UK SigInt's to change a system that serves them very well as effectively a combined or symbiotic entity.

In part the NSA has suffered a loss of turf to other parts of the US Mil&IC to do with the Internet. Whilst this would worry the NSA as an independent entity, what it has appeared to loose at home, has been more than covered by the UK and their dependent Five Eyes partners who have the access covered.

Which begs the question of US 'home traffic going international' if people care to look it up there is one heck of a load of US2US traffic that gets routed across international boundries by the likes of BGP misconfiguration. It's been assumed by some that this is the likes of the Chinese etc 'stealing traffic', few ask the obvious question of who benifits from these oddities over all, to which the answer is the Five-Eye SigInt community via the fairly obvious --if people look-- choke points sitting in the teritorial waters and skys of the non US Five-Eye partners.

Much of what this symbiotic SigInt entity gets upto at the base level is 'hiding in plain sight'. From this and a little thought gives you the stratigic direction and appropriate technical knowledge 'fills in the middle'.

As has been observed on this blog fairly often, these SigInt entities are realy not that much in front of the open academic and tellecommunication communities. Where they do have leads is becoming less relevant, which is just as well as the 'talent pool' they used to draw on has in effect dried up for them as they can no longer offer either the 'ego food' or 'material rewards' for such people in the face of Silicon Valley etc. Thus all the SigInt agencies are starting to suffer from 'in house time servers' and 'out sourced contractors' who only nominaly work for the SigInt agencies.

It is in effect 'COTS' wave II, they have to get not just their tech from the open market but now their staff as well. Which is the heart felt wish of the MIC with the likes of Silicon Valley effectively becoming the US IC technical arm and increasingly compeating with the SigInt and CommsInt analysts via 'Big Data' and orher leading edge tech. Have a look at Peter Thiels Palantair service and one or two others. What they hold tends to make Facebook look a joke.

ThunderbirdMarch 25, 2019 5:34 PM

So do people really think Clive isn't posting anymore? Maybe someone else with a lot of knowledge has gotten ahold of a "Clive filter?" Because you could imitate many of the mannerisms, but the actual technical detail would be challenging.

1&1~=UmmMarch 25, 2019 5:46 PM

@vas pup:

"Many researchers believe humans began lying to each other almost as soon as they invented language, primarily as a way to get ahead."

They would be wrong...

Anthropologists worked out years ago that 'secrecy' thus 'deception' which is 'lying by deed or action' was happening right from the begining with tribes.

That is it was in a faimily or larger tribes interest to conceal prime food sights from other families and tribes.

Thus lying in it's various forms is a prime survival skill not just for humans, not just primates but most other mamals and hot blooded creatures.

gordoMarch 25, 2019 7:08 PM

1&1~=Umm,

What the author of the article apparently does not realise is that the British set up the agrement in exactly that way, very specifically to their advantage. Even now the UK is still in many respects the dominant partner on policy and many operational asspects.

Writing on the “Description of SIGINT Relations between NSA and GCHQ” (December 1985) document, the authors of the Lawfare piece seem to touch on that here, but your point is clear:

The document hints at how the two agencies facilitate such sharing in practice, including by ensuring that the “GCHQ has direct access to NSA computer systems.”

Though the times they are 'a changin', collection remains paramount. As so, it seems to me that traffic shaping, 5g network slicing and IoT are ready-made efficiencies built to serve the likes of XKeyscore interception and analysis engines. Where the two, UKUSA, come out on 5g will be interesting, to say the least.

1&1~=UmmMarch 25, 2019 8:48 PM

@gordo:

"Where the two, UKUSA, come out on 5g will be interesting, to say the least."

The owner of most of the relevant 5G patents is China. The company concerned is known to have had a good relationship with not just the UK Gov, but also the public face of GCHQ via their center in Aylesbury UK where the GCHQ bods work alongside the company employees verifying not just code but hardware as well.

There have been few if any problems untill the US started making lots of noise about the company who unlike the US Gov has not been caught red handed hiding security failings in various major US Company products (not just Juniper and Cisco). Then the UK Gov issued a report that to be honest could have been aimed as much against the US Gov as it was the Chinese Gov. In simple terms they kind of said the company supply chain was vulnerable... That said it's fairly obvious that most major US Companies and UK companies all have supply chain issues, there is basically nothing that can be done about it and remain economically viable.

Back some years ago the NSA for instance had doubts about the integrity of it's supply chain even though at the time it was still making equipment entirely within the US. However it realy went 'out the window' when US Politicos decided that the NSA had to buy standard parts etc etc on not just on the commercial market, but the 'Consumer Of The Shelf' market. Which they knew ment that they would suffer from 'grey market' and 'counterfit market' issues, along with various dial home implants. If you remember back there was a lot of noise about the consumer arm that had once been part of IBM. The company that took it over was Lenovo and they were caught out installing 'Advanced Peraistant Threat' (APT) malware in the BIOS that used an original IBM PC feature supported by DOS and later Windows to alow 'IO ROM Code' to install malware no mater how often you replaced the OS or hard drive.

So realistically the UK Gov report via GCHQ was more 'political posturing' than anything else. As they have not as far as I know asked any other 5G tenderers to meet anything remotely like they do of the Chinese Company.

The joke is that EU legislation requires a level playing field for large tenders with Government involvement. The fact the UK Gov is not abiding by these rules kind of tells you fairly well nearly everthing you need to know about the UK-US 'Special Relationship' at the inter-government level.

But to be honest I rather hope 5G fails misserably, it actually has little to offer over 4GLTE in terms of performance and has the specific issue that 5G handsets are not transferable from one operator to another. So are the old equivalent of 'Service Provider Locked Phones' which in the EU is a bit of a 'no no'. Thus network interoperabilty with 5G can not realistically happen, thus it will fall back to 4GLTE anyway... So from the consumer perspective you have to ask what the 'value added' is for them and the answer is little or nothing.

RachElMarch 26, 2019 12:38 AM

Bong-Smoking Primitive Monkey-Brained Spook

You are quite the character, I enjoy it.
I definitely miss tyr. Equal to the most astute and wise commentator ever to tread these boards. And, he has a bushido way of restraint -terse, concise, every word landing perfectly on point. Clarifying like rubbing alcohol.

@Ratio has been gone for some time

I recall you were upset he spilt your bong water. Although, you could both be working in the same windowless building with more physical floors than are listed on the elevator? Maybe you pass each other every day on the way to the water fountain, it just requires a careful application of an identifying phrase for context.

Mea CorpaMarch 26, 2019 1:02 AM

"Also the link it's self clearly claims it is a 'news' item."

So it's not about political news? I guess that's reality's fault or something.

Our mistake.

Huey PilotMarch 26, 2019 8:35 AM

@MarkH • March 23, 2019 4:01 AM
https://www.schneier.com/blog/archives/2019/03/friday_squid_bl_669.html#c6790468

Thoughts on the B737 Airliner Scandal
...

well worded/well summarized but some errors in my opinion - When the MCAS system activates, a large wheel next to the pilots knee spins offering an immediate indication that the horizontal stabilizer is changing position
based on time activated and rotation rate. The wheel has a knob on it that can be pulled out if manual control is required/desired (suicide knob like). If you pull out that knob and forget, automatic activation may bruise your leg/break your kneecap. Likewise if you pull that out you can slow or jam the system so the drive motor can't move the stabilizer. This design is common since 707/KC-135 aircraft in Boeing airplanes.

https://twitter.com/jetphotos/status/911612875923320832
see the big black wheels (edge view) on either side of the throttle quadrant.

The problem was the crew was task saturated and did not understand they needed to over ride an automatic system deliberately and with force because there was no guidance in the manual and no training to do so. They were using the yoke mounted manual drive to slew the stabilizer back into position, and then the faulty automatic system was driving if ever further out of trim - hence the aircraft was repeatedly pitching up and down. While this was occuring they likely became fixated/task saturated and did not realize their airspeed was getting dangerously high on the descents. It is entirely probable they damaged/tore off a flight control surface from excess airspeed/dynamic pressure on the last dive which precluded the ability to recover.

The automatic system was installed because the center of thrust with the new engines was forward of the old engines and Boeing wanted the plane to manually handle similar to the old 737 so no retraining was required.

Increasing the thrust on the new aircraft as you would in a go around or other emergency scenario, causes a greater pitch up moment due to the new forward center of thrust. Changing the horizontal stabilizer position automatically (without pilot action) counters this moment (in theory) so the aircraft continues to handle normally (as expected like an old 737) in manual flight control. Tragic that nobody throught this through. But also explains why a culture with a suspicion of automatic systems and a mental mind set/willingness to override automatic systems could deal with this emergency and save the aircraft while a culture of compliant/passive people might not due to reluctance to counter authority (automatic control). I would have found the damn circuit breaker powering the drive screw motor and pulled it, and then reverted to manual positioning of the horizontal stabilizer for the balance of the flight. Any malfunction of this system should have been a red X in the aircraft logs prohibiting flight until repaired - but since the system didn't exist in the pilots aircraft manuals, they could only write up the general stabilizer system and not the automatic drive function (MCAS) as they did not know it existed! That is Boeings criminal act - failure to fully inform the pilots due to their desire for common training requirements with the older 737s.

vas pup March 26, 2019 3:29 PM

@1&1~=Umm • March 25, 2019 5:46 PM
Yeah, you do have a point.
I guess they were meaning lying by words in that case...

vas pupMarch 26, 2019 3:38 PM

@1&1~=Umm
Recently (several month ago) on American Heroes Channel (USA) such fact was disclosed:
In 1940 when Britain was already in war with Nazi Germany, they (GB) provided Roosevelt with allegedly stolen from Germans plan to invade and occupy Panama Canal in order to bring US to war with Germany. Hitler find it out somehow and was pissed off because Germany never had such plans. It was discovered later that British Intel fabricated that plan (fake news of 1940).
Just interesting fact of the history of relationship. That is regarding lying to survive even to close ally.

MarkHMarch 27, 2019 3:35 AM

@Huey Pilot:

Thank you for your insights. At the time of my first comment, I wasn't aware that the cockpit retained trim wheels I'm used to seeing in smaller/older planes.

I'm used to thinking of Boeing as having a strict culture of safety in engineering. I hope that a lot of soul-searching is taking place.

1&1~=UmmMarch 27, 2019 11:56 AM

Has Never Say Anything done it again?

Even if they have when are people going to get to grips with the idea that 'code signing' is a busted security mechanism and they have to be way more proactive, especially the development side.

This is a quite spectacular in many ways Supply Chain attack,

https://www.theregister.co.uk/2019/03/25/asus_software_update_utility_backdoor/

Backend servers in Asus Taiwan got attacked in some way as a result a false update file of the right size and apparently signed by Asus's security key was put in place of a routien update download.

The result probably over a million computers infected with the malware.

Why did it not come to notice more readily by side effects etc? Well apparently it was only aimed at six hundred machines...

This kind of puts it in the State Level Advanced Persistent Threat (APT) catagory. Which is not to say it is a Nation State but the level of resources required is similar to that of just a few nation states, and the number of actual targets is very small. Thus the returns required are way above what most Cyber-Criminals would be capable of and also suggest it's very much geo-political in intent.

What would be interesting to see is an analysis of those 600 machine identities, then maybe Shodan them etc ;-)

https://www.shodan.io

1&1~=UmmMarch 27, 2019 3:11 PM

EU rejects US calls over 5G.

I guess most know there is a trade war between the US and China, and that this is causing diplomatic silliness.

One such side of US trade policy appears to be accusing without supplying evidence that companies in these nations are being used to commit espionage. Which is a bit embarasing because the US has been caught red-handed doing exactly this a number of times.

One aspect is the US appears to think that other nations should follow suit without question. And if they do not then they get threatened / blackmailed by the US...

Well a little while ago Germany told the US where it could go in this respect, and to ramp up the preasure even more the EU has just come out and said it's up to individual nations within the EU to come up with their own 5G suppliers list. Which some see as a snub to the US,

https://www.theregister.co.uk/2019/03/26/euro_5g_plans/

No doubt there will be tweets after bed time on this, but it would be fun just to sit back and watch if it were not so serious.

There is one fun side though, any one remember the strange 'Investor-State Dispute Settlement (ISDS)' mechanism clauses in the previous administrations 'trade policies' over disputes?

Well it would have put the US Gov in the position of being judged and getting fined, because premptive 'national security' argument is not a valid reason for refusing to allow companies or products already in the US market to continue to remain...

gordoMarch 27, 2019 4:24 PM

@ 1&1~=Umm,

Over a barrel . . . ?

AT&T CEO says China's Huawei hinders carriers from shifting suppliers for 5G
David Shepardson, Reuters, March 20, 2019

AT&T Inc Chief Executive Randall Stephenson said Wednesday that China’s Huawei Technologies Co Ltd is making it very difficult for European carriers to drop the company from its supply chain for next-generation 5G wireless service.


"If you have deployed Huawei as your 4G network, Huawei is not allowing interoperability to 5G -- meaning if you are 4G, you are stuck with Huawei for 5G," said Stephenson at a speech in Washington. "When the Europeans say we got a problem -- that's their problem. They really don't have an option to go to somebody else."

https://www.reuters.com/article/us-att-ceo-huawei-tech/att-ceo-says-chinas-huawei-hinders-carriers-from-shifting-suppliers-for-5g-idUSKCN1R12TX

MarkHMarch 28, 2019 12:30 AM

Huey Pilot wrote:

"I would have found the damn circuit breaker powering the drive screw motor and pulled it"

That's how a safe pilot thinks. Because (as I explained above) the stabilizer is so much more powerful than the elevator in a jet transport, a mispositioned stabilizer can doom the aircraft.

For this reason, a runaway stabilizer (i.e., large deflection not correctable by the cockpit crew) is among the most dangerous of flight control malfunctions, and it's a matter of life and death to arrest the deflection before it becomes impossible to maintain a normal pitch attitude.

So if a runaway is suspected, the thing to do is pull the breaker immediately, and leave analysis of the fault for later.

Fortunately, this type of runaway is extremely rare. One sad case comes to mind which was not a failure of any of the active systems, but rather mechanical breakage of the link to the stabilizer. The pilots were able to keep their jet aloft for just a few horrifying minutes ...

gordoMarch 28, 2019 2:02 PM

"NCSC does not believe that the defects identified are a result of Chinese state interference" (p.21 of report PDF). I guess there's a bright side to everything . . . ;)

UK cyber security officials report Huawei’s security practices are a mess
Huawei never delivered on changes promised years ago, National Cybersecurity Centre reports.
by Sean Gallagher - Mar 28, 2019

The problems unearthed by HCSEC [Huawei Cyber Security Evaluation Centre], however, suggest that the bigger threat is that Huawei gear could be hacked by just about anyone who cared to make an effort. And because of how Huawei runs its software development, it’s impossible to give blanket certification for any one product’s security.

https://arstechnica.com/information-technology/2019/03/uk-cyber-security-officials-report-huaweis-security-practices-are-a-mess/

vas pupMarch 28, 2019 3:14 PM

Scientists develop a robust experiment that shows human brain waves respond to changes in Earth-strength magnetic fields.
https://www.sciencedaily.com/releases/2019/03/190321083637.htm

Interesting is who funded research:
"This research was supported initially by the Human Frontiers Science Program and more recently by the
RadioBio program of the Defense Advanced Research Projects Agency (DARPA) to the Caltech group,
by the Japanese Science and Technology Agency (CREST) to Wang and Shimojo, and by the Japan Society for the Promotion of Science to the University of Tokyo group."

1&1~=UmmMarch 31, 2019 10:57 PM

@gordo:

"'UK cyber security officials report Huawei’s security practices are a mess'"

Yup I'm fairly sure they are, just like every other company that compeates in markets where such aspects are 'not regulated for'.

In fact we know both Cisco and Jupiter are in that mess atleast as badly if not worse, considerably worse. Then there are the other telco back end providers like Ericsson, lets just say 'the less said the better', as people want to sleep at night.

The problem is these are engineering organisations driven by over heated 'market expectations' that to be honest have now crossed a tipping point that we have seen with IoT and other markets. Speed to market now trumps the more traditional values of reliability, stability, quality, and worst of all 'good engineering practice'.

The fact that the NCSC is holding them to some 'ideal' the market obviously does not want nor can it afford in the face of competition kind of says just how out of touch the NCSC are with the reality of the current market.

If nations want telecommunications security rather than the ability to spy on others or play idiotic power politics games, then they need to 'level the playing field' and hold all potential market suppliers to the same standards by regulation with no exception. But that won't happen as long as 'home market protectionism' and 'collect it all' are in play.

Oh and to be honest you have to ask when the mobile telecommunications market is going to collapse in on it's self. Actually sit down and go through the 4G-LTE and 5G specs and produce a list of pros and cons. Then compare the 5G pros with what you loose from 4G-LTE pros.

Take a close look at how 5G falls back to 4G-LTE then the price you pay for 5G like the fact you do not get network roaming with 5G but you do with 4G-LTE. Yes I know that some bits of 5G might potentially turn into the new SMS but it's actually not that likely when you consider how 5G gets it's supposed advantages.

I'm still a 3G user and don't want much of what 4G let alone 4G-LTE offers. But the dirty little secret that the mobile industry is not talking about publically is 2G users. Or more correctly 2G using infrastructure that won't or can not be upgraded, things like smart meters, electricity/gas/water supply control, industrial control systems, traffic lights, vehical tracking for delivery control, road toll/tracking systems and lots more you don't see even though it's all around you. Mobile is even replacing 'emergancy radio' used by first responders and the like and the official parts use 2/3G because it's cheap. That is the nature of accountancy led infrastructure, and it's getting worse daily as people are replaced by communications technology that is expensive, then by mobile technology on the cheap, which unfortunatly is fast becoming a millstone around the Mobile Service Providers necks.

gordoMarch 31, 2019 11:50 PM

@ 1&1~=Umm,

The fact that the NCSC is holding them to some 'ideal' the market obviously does not want nor can it afford in the face of competition kind of says just how out of touch the NCSC are with the reality of the current market.

For some reason Patch Tuesday comes to mind...in any case...

Here’s proof Huawei is now a titanic consumer brand
Revenue from the smartphone division ballooned by 45 percent
By Jon Porter, The Verge, Mar 29, 2019

Huawei has announced record financial results for the last year. The company’s revenue increased to $105 billion, a 20 percent annual rise, while profit was up by 25 percent to $8 billion. The New York Times notes that the results put Huawei in the same league as Google and Microsoft, which both passed the $100 billion milestone last year.


[. . .]

Revenue from Huawei’s carrier technology division was weaker. Reuters notes that revenue from this unit fell by 1.3 percent last year, although Huawei explained that the fall was caused by telecoms investment cycles.

https://www.theverge.com/2019/3/29/18286697/huawei-annual-financial-results-2019-revenue-profit-smartphones-carrier-technology

Ahh, but wouldn't you know it, last year Huawei started a bi-monthly patch schedule for mostly their flagship smartphones. "Primarily, each update will include the latest monthly Android security patches." https://www.phonearena.com/news/Huawei-smartphones-updates-schedule_id106157

The more things change, . . .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.