Friday Squid Blogging: Cephalopod Appreciation Society Event

Last Wednesday was a Cephalopod Appreciation Society event in Seattle. I missed it.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on May 10, 2019 at 4:18 PM • 57 Comments


A90210May 10, 2019 4:48 PM

IIRC Shoshana Zuboff, or Surveillance Capitalism, said something like government regulation, not creating multiple smaller surveillance capitalism companies (by breaking up the likes of Facebook or Google), may be preferred and needed.

Break up facebook?

EGLMay 10, 2019 5:17 PM

Putting Innovative Monopoly Power To Work

Exclusive Connected Cars Ads
‘The Auto Alliance, an organization of  20 major automakers — including BMW, Ford, General Motors, Honda, Toyota, and Volkswagen, among others—who’ve pledged to meet or exceed consumer privacy protection principles that are enforceable under privacy and/or consumer protection laws[0]’

‘Obtain affirmative consent before using geolocation, biometric, or driver behavior information for marketing and before sharing such information with UNAFFILIATED third parties for their own use.’

In other words geolocation, driver, in-cabin (including camera and microphone) CANNOT ever be disabled. Affiliate Google’s SensorVault can vastly expand with all this additional travel data to build a fantastically detailed dossier. The stuff that dreams are made of!

This ‘Privacy’ Policy actual purpose is to limit competition, maximize profits and raise stock prices.
With exclusive data collection, Google and these auto manufactures will become the worlds most valuable companies.
These tightly controlled ‘privacy’ policy enhances their monopoly power to exclusively force-feed advertising at every vehicle stop [1].

Chrome Design Change Seeks to Limit Internet Competition
Last month Google developers published plans severely restrict external ad-blockers within Chrome. So much so they become worthless. But no-worries mate as Google has its own ad-blocker!

This month Google profits are slowing due to GDPR and the new Amazon and Wal-mart ad-systems.
As a result there is another huge Chrome browser design change.
Google now classifies its ad-dollar competitors as third-party for 60% (by market-share) of ALL web browsers. That is, Google announced the Chrome browser is reducing/restricting/disabling THIRD PARTY tracking.[2]

The Guardian Also Hot-on-the-Trail
“For a company like Google, all the incentives are aligned to protect their information, and therefore protect your information, but where the incentives diverge is on collection and use,” Barrett said. “None of the big companies that are trying to position themselves as strong on privacy have been willing to play ball on regulation that goes against their business interest or that would change their business models.
Still, Zitron pointed out that for Google and Apple, privacy as PR is working, with headlines in the tech press this week such as, “Facebook talked privacy, Google actually built it...People are eating it up, there’s a narrative here, where you have the bad guy, which is Facebook, and now you have Apple and Google stepping in to say we’re the good guys.
They’re not actually caring about privacy. They’re just trying to get associated with the idea of privacy, and it’s working. Hook, line, and sinker.”
Smart Cut and Paste
A continuous is a stream of bad news against American ‘Innovation’: Today the Competition Commission of India CCI has found Google abused its dominant position and ordered a full investigation. Sources have told Reuters it is on the exact same lines as the case filed against the company in Europe.

[0] This is laughable as there are virtually zero Laws to protect privacy, at least in the USA

[1] The irony is auto insurance companies are already alarmed about distracted driving epidemic. It's the new DUI. They are raising rates for distracted driving, as 1 in 12 are classified as smart-phone addicts.
Imagine the blaring non-defeatable ads on a 12” display will only exasperate this critical safety issue. Is NHTSA better at preventing accidents than the FAA?

[2] its done for our privacy guys!

TazMay 10, 2019 6:22 PM

All the major western tech companies cooperate with the western security services. In Murder in Samarkand I gave the first public revelation that the government can and does listen through your mobile phone microphone even when the phone is ostensibly switched off, a fact that got almost no traction until Edward Snowden released documents confirming it six years later. China is full of western devices with backdoors that are exploited by western intelligence. That the tables turn as Chinese technology advances is scarcely surprising.

Personally I do not want the Chinese, Americans, Russians or British eavesdropping on me, or on each other, and I wish that they would stop. The spy games will of course continue, as they make money for a lot of well-connected people. But for any side to claim moral superiority in all of this is just nonsense.

TazMay 10, 2019 6:23 PM

Immigration Cops Just Spent A Record $1 Million On The World's Most Advanced iPhone Hacking Tech

The contract, signed just last week, takes the immigration department's spend with the company to over $1.2 million, following a $384,000 Grayshift deal last year. That's the most spent on the superpowered iPhone hacking service by any government department, local or federal, looking across public records. The deal also marks Grayshift's biggest publicly known contract to date, according to a federal procurement database and state-level records. Its previous biggest, of $484,000, was with the U.S. Secret Service.

yoohoo are not unix eitherMay 10, 2019 6:37 PM

I believe that TINEYE.COM has been algorithmicly compromised sometime during the past 6 months.
A very modest and simple and familar imageset yields false positives from multiple pathways despite known matches to the contrary.

This error coincides with other data breaches and invasive occurences in the faltering/faultering darpanet (internet).

So yeah, it kinda confirms those earlier discussions about machine learning pattern recog systems being foolable.

witnessMay 10, 2019 6:47 PM

SAFETY SHOULD SUPERCEDE as a form of security


Does anybody know any whereabouts of the local and municipal and state and federal and international laws about the detonation and radiance of ionizing materials within the residential areas of a USA metropolitan populace?

I don't know where to start.

I will try to explain more of this later, yet probably not on this site.
Yeah, I was worried too. The blasts occured in the open air late 2018 and the aftereffects lasted about 1-2 weeks.

The probably highly illegal and dangerous events happened at night and were visible at night and temporarily and repeatedly knocked out some residential neighborhood and business district power grid systems.

I believe it was actual ionizing radiation or similar, because it changed the extermal colours of many very old familiar buildings in the area as well as their windows.

And it temporarily profoundly affected the local weather in some strange yet measureable ways.

This did NOT happen in a traditional military testing area! This was right above and amongst residential civilian homes and businesses.

I was awake and outside that particular night and anxiously witnessing the tinted flashes and sounds and sights and smells and the results during the next 7-14 days or so.

I promptly left town as soon as I could after that. I have not been back since then.
I just hope the locals are not thus getting radiation sickness just because somebody somehow got a hold of some forbidden "toys".

I still consider this a security issue.

Anon====May 10, 2019 6:55 PM

@Taz • May 10, 2019 6:23 PM

Immigration Cops Just Spent A Record $1 Million On The World's Most Advanced iPhone Hacking Tech

Damn phones are hacked worse than those electronic monitoring ankle bracelets sported by the ladies they let out of those ICE detention facilities to await their federal court hearings.

Sinaloa/NG/MS-13 gangsters hack the bracelet, cut it off her ankle, and erase all records from the monitoring system. Then a sister on the DA's paralegal team cancels her court appearance. Oh yes, the girls got inside help.

Russell AminzadeMay 10, 2019 8:49 PM

Fiendish and clever but very simple social engineering way around two-factor authentication using SMS.

1) Get your hands on a compromised account (username and password), perhaps from someone who is re-using one from a breached site.
2) Go to their website, enter the victim's username and password.
3) Call the user, but spoofed the calling number to show their bank on caller ID. 4) Tell them you need to confirm that this is in fact them, and you will send them a text.
5) Log in, and when the second factor is sent via SMS to them, ask them to read the number to you.
6) Enter the number and quickly change their username and password.
7) Drain their account.

It looks like this person caught them in time to avoid step 7:

It would be simple for any site using SMS for two-factor authentication to prevent this by saying "Please do not share this number with anyone, even a person claiming to be [bank]. It should only be used to log in to your account"

Erdem MemisyaziciMay 10, 2019 10:50 PM

What do you think about multifactor authentication implementations on browsers prompting for the make and model of your security tokens recently? Does it provide anything beyond generating product usage data? Has anybody worked with this recently?

JonMay 10, 2019 11:16 PM

@ R. Aminzade

Alternately, at 3) if anyone from your bank calls you and asks you for anything beyond your name in. re. 5), tell them to go jump in something. If it's that important, you can go to a branch office and deal with it there. Or at the very least call back to a publically advertised contact number, NOT THE ONE THEY GAVE YOU!!

I've recently been getting spam texts that claim to be from [$large western USA bank] (LWB) that contain links that bear exactly no resemblance whatsoever to the actual domains of LWB.

In a moment of weakness I replied to one with an expletive. I wonder if that was a bad move.


JonMay 10, 2019 11:33 PM

@ E. Memisyazici

That strikes me as a truly horrible idea, although I have never seen it, and I doubt I will. You see, the security token generates merely a number, and that number has to match another number generated locally.

Therefore they already know your make and model of token, because they know what number it should have generated, and anyone asking for more information should be told to go jump in a lake.


name.withheld.for.obvious.reasonsMay 11, 2019 1:38 AM

@ Clive

As our exchanges have a span of nearly decades (okay, 0.8 decades), much is/was learnt.

Remember our colleague "Sir/Madame Skeptical", a rogue for the sake of being one. When I encounter vapid, unimaginative, and the obligatory colloquialisms of less inquisitive forums and institutions, I attempt to "establish terms of interchange and perspective". If this fails, there is an attempt to draw a greater level of visibility and wider participation in order to work the rules of debate/engagement. This is often in the form of a "side channel" hack.

We are lucky that a core group exists within the confines of Bruce's space. And, I am forever grateful to Bruce for his unending support. I do my bit, I buy his books, write reviews, and communicate personally with Bruce. I only regret that I cannot contribute more to the good works here and about this space. Though our contact is infrequent as of late, I am aware that providing a positive feedback signal in the many contexts we find ourselves can be helpful. There is only one other person with whom I regularly communicate. A DC-based expert in several complex fields, nuclear physics and communications, I respect their the journey so to speak.

My broad strokes here are deliberate, as you probably understand; the risks to others in these more public channels carry an uncertain amount of "response". I mentioned before the messaging I received from the CIA after some comments here...unexpected, it was unwarranted. Getting your panties in a bunch and taking it to the written word is one thing, reaching out and touching someone is a bit more juvenile. If my situation included standing at the helm of a state apparatus, an extreme level of respective for the potential repercussions makes one cautious when navigating from either starboard or port side.

Also, there was a moment when Nick P and myself discovered a very disturbing "information warfare" event. I reached out to a very limited number of colleagues without affect. We both seemed to have found no "interest" (more accurately a "cautioned response") where it might be important to understand. Do you remember HR4681 of the 2014 IAA wrapped in an omnibus poop-bag? To this day section 309 has been misrepresented by nearly all, in and out of government. This bird was so low in flight that gofers noticed, but not others.

I mention this to remind myself, and others, that we do have impact. The previous two paragraphs are stark example of this fact.

MarkHMay 11, 2019 2:37 AM

Predictable Trouble

In the aftermath of one recent U.S. school shooting (an endemic phenomenon here), police are investigating the possibility that an armed guard who was present may have fired on law enforcement officers and shot a student.

If this most unhelpful application of deadly force indeed occurred, it's presumed to be the result of confusion, not malevolence.

There's a kind of malignant idiocy insisting that more guns will improve public safety.

Clive RobinsonMay 11, 2019 8:55 AM

@ Yep,

$10 says witness is Clive.

You can send the $10 to @Bruce, he can then spend it on a drink or two.

CallMeLateForSupperMay 11, 2019 11:45 AM

"A skimming campaign continues to infect sites with malicious JavaScript."

And you thought your card couldn't be skimmed as long as you held it in your hot little hand.

"Unless you want your payment card data skimmed, avoid these commerce sites"

This is an additional case of "JavaScript provides one with a convenient means to shoot one's self in the head". DISable JS in your browser. Yes, some web sites won't communicate with you for doing so, but you will be much safer.

Clive RobinsonMay 11, 2019 1:22 PM

Spy on a Granny

As someone remarked a week or so ago some of us are concerned about the lack of security in implanted medical electronics.

But that's not the only thing, none of us are getting any younger, dementia is on the rise and the cost of supervising the elderly / frail / etc is rising way faster than wages as various corporations see it as just another profit center to be exploited to the max.

Thus technology is seen as "comming to the rescue", unfortunatly the people developing the technology rarely have any knowledge, let alone insight into even the most basic of security.

Whilst something with a very limited range and poor security should quite rightly be considered bad, how about something without a range limitation and no security, or security that anyone can turn off? Worse than bad... but that's the sort of thing we are getting...

For example quite a few people who are frail or prone to trips and falls where they either can not get up or need medical assistance wear "help button pendents" around their necks. These used to be very limited in range often only just covering the persons house and maybe their garden/yard, and were one way in that the wearer would have to initiate the system.

The new tech uses mobile phone technology and will work both ways so any one who knows or can easily work out the phone number can talk to the device and "factory reset" it clearing out all the numbers to be called and also disabling any security setings...

Oh and it can also be used as not just a GPS locator, but an audio surveillance device as well...

There are many other systems that are just as bad one way or another, in the UK a company that I won't name is pushing a similar but more bells and whistles device for "helicopter children". If Mum, Dad or the Gramps and Grannies are a little frail etc then helicopter children can by a device that "hovers for them"... It not just monitors their movments 24 by 365.25 it uses AI against previois behaviour to look for "deviations" so that the helicopter daughter/son gets automatically notified of any behavioural changes by text or email etc from the companies Cloud Presence...

Once upon a time I used to worry that society was "going to hell in a handcart" with intrusive tech maybe once a month or so. Now it's rare that a day goes by where I'm not somehow reminded a half dozen or so times...

It's not just IoT we have to worry about it's darn near everything with a battery or plug attached. There are even clothes irons with SoC microcontrolers that have WiFi/Bluetooth in them... You soon won't be able to by a TV, radio, fridge or clotheswashing machine without a requirment for "Internet connectivity" simply because some idiot thinks they can make more profit. Apparently even "marital aids" come with "Internet to go" built in these days, how long before "family planing aids" get WiFi hot spots with AI "blue pill" detection?

>_<May 11, 2019 2:30 PM

Accomplishable Choices Still Exist

Once somebody asked me online about some "hit tunes" that "went under the radar".
I was happy to oblige, and responded in kind. Oddly, there seemed to have been zero(0) other replies.

Ostinato Oblongato:

The videos explain the content.
Those of you who can extrapolate and interpolate the security contents implied, we have that in common.

Today is yesteryear's future. Today is tomorrow's yesteryear.
Thank goodness that good accomplishable choices still exists. I hope also to keep it that way.

I'm still optimistic.

P.S.-wow, Mr. Clive R[...], excellent previous post. I'm with you on your side of that topic.

A90210May 11, 2019 4:09 PM

"Did Donald Trump’s Grip on the Justice Department Sabotage Robert Mueller’s Investigation?"

"Through his unrelenting efforts to obstruct the Trump-Russia investigation since its inception, President Donald Trump has inflicted a slow-motion Saturday Night Massacre on the American people, a constitutional nightmare that has lasted two years instead of one night.

And it is still going on, despite the fact that special counsel Robert Mueller has completed his investigation. Trump now has a willing lackey in Attorney General William Barr, who is aiding and abetting the president’s ongoing efforts to control the Justice Department and corrupt the country’s system of checks and balances.

The original Saturday Night Massacre ended far more quickly than Trump’s version.

On the night of October 20, 1973, President Richard Nixon ordered Attorney General Elliot Richardson to fire Watergate special prosecutor Archibald Cox. Nixon wanted Cox out because Cox had just subpoenaed the president and demanded that he turn over his Oval Office tape recordings. Nixon feared that Cox was getting too close to unraveling the Watergate scandal.

Richardson refused to fire Cox, instead resigning as attorney general that night. Deputy Attorney General William Ruckelshaus also refused to do Nixon’s dirty work and also resigned. But by the end of that Saturday night, Nixon had found his hatchet man: Solicitor General Robert Bork agreed to fire Cox.

Given what we now know about the events of the last two years, Nixon’s Saturday Night Massacre resembles a routine weekend in the Trump administration.

Much of the carnage is documented in the second volume of the Mueller report, which focuses on obstruction of justice. Mueller recounts Trump’s nonstop efforts to block the Trump-Russia investigation and details the firings, threats, and intimidation tactics Trump used to pressure key figures involved in the probe.

But Mueller may not have captured every aspect of Trump’s Saturday Night Massacre. That’s because Trump’s threats to fire the special counsel — combined with the president’s incessant public and private pressure on Deputy Attorney General Rod Rosenstein, the Justice Department official who supervised Mueller’s investigation — may have influenced both what is in the special counsel’s narrow and hesitant report, and what is conspicuously absent. ..."

Bruce SchneierMay 11, 2019 4:47 PM

@Clive Robinson

"You can send the $10 to @Bruce, he can then spend it on a drink or two."

Hey. Thanks.

A90210May 11, 2019 4:49 PM

"Attorney General William Barr recently invoked a powerful, rarely used privilege to withhold information from the public, marking a dramatic turn of events in a battle over the release of a highly contested report.

Only this time, we’re talking about a report that would provide much-needed information on the government’s spying activities.

For the past five years, Twitter has been trying to make public a transparency report with detailed statistics about how often the U.S. government seeks to spy on Twitter’s users. At nearly every turn, the government has been putting up roadblocks to prevent that report from seeing the light of day.

In 2014, when Twitter first sent its draft report to the government for review, the company was told it couldn’t publish the report because it contained information the government deemed classified. Then, when Twitter took the government to court to challenge its censorship as a violation of the company’s First Amendment rights, the government moved to squash the lawsuit. In a secret declaration filed under seal with the court, the government purported to explain to the judge the harms that would result if Twitter published its transparency report. Twitter’s lawyers, notably, weren’t allowed to see the declaration at the time.

Fortunately, the judge was unpersuaded by whatever was in that secret document, and rejected the government’s attempts to dismiss the case, Twitter, Inc. v. Barr.

But that hasn’t stopped the government.

Now, Attorney General Barr is invoking the “state secrets privilege” in an effort to keep Twitter’s lawyers from seeing the secret declaration and to shut down the lawsuit altogether. But as we explain in an amicus brief filed in court this week, Barr’s assertion of the state secrets privilege is highly inappropriate and dangerous. If left unchecked, it would risk endorsing a dramatic expansion of the privilege — with far-reaching consequences for future cases involving classified material. ..."

VinnyGMay 11, 2019 6:09 PM

@anders re: AV breach - True or not, that information is useless without knowing the identity of the three AV vendors. Also, "three top anti-virus companies" > "the three top anti-virus companies" so we cannot even estimate the magnitude in terms of affected users (Virus Total lists 66 AV scanning services - how many of those qualify as "top" according to the entity making the breach claim?) Much more information is needed than has been provided by Advanced Intelligence...

John GoodwinMay 11, 2019 7:49 PM

@witness - maybe not too helpful, but I would start by looking at EPA (Environmental Protection Agency) regulations, not laws.

The term 'source term estimation' (STE) might be useful for triangulating useful information.

The PullMay 11, 2019 10:41 PM

@ av story

Also, [besides what VinnyG said] who is the source, "advanced intel", where's sources for the legitimacy of this hacker group / individual? The "proof" shown could easily have been anything.

Seen this at several sites, but all rely on one anonymous blog's story.

albertMay 12, 2019 11:31 AM


It's probably a UFO.

@John Goodwin,

The EPA. You mean Trumps EPA?
Surely you're joking...

. .. . .. --- ....

John GoodwinMay 12, 2019 6:01 PM

@witness @albert :

A few minutes searching brings up this web query of available EPA data:

Notice RadNet and RadInfo components

There's also a page on Data APIs (web services)

Finally and both allow you to search for relevant code and data -- it is probably easier to start with the data or code that would answer your question, then find out which regulations they are trying to enforce by collecting the data -- that should point to the answer to the actual question asked.

The Code of Federal Regulations is dense but you can do a depth first search on your topic:

EPA mentions Vol. 40 with particular refer to these areas

US Regulations and laws about ionizing radiation and public exposure are all over the map -- the AEC (Atomic Energy Commission) was broken into the NRC (Nuclear Regulatory Commission) and the DOE (Department of Energy). If I had to guess I'd guess the exposure regulations for the public, in cases *other* than Nuclear power plants or the transport of Nuclear Waste, are likely to be in the DOE regulations. But I wouldn't rate that as even an informed guess -- it is a mere guess.

The EPA does monitor for radiation and I've pointed to the data with the first link. In some cases, they give information about the compliance and regulations they are attempting to enforce.

I don't know if the DOE does any radiation monitoring at other than DOE facilities (which they most certainly do). So you might find the data in one place, and the regulations for public exposure in the other.

Hope this helps!


Clive RobinsonMay 12, 2019 7:59 PM

@ cat,

With regards the "Ginsu missile" I realy don't think that some journalists understand what they are being told, or someone is pulling their leg...

The quote from the WashPo of,

    Designated the Hellfire R9X, the missile has no explosive warhead—instead, its payload is more than 100 pounds of metal, including long blades that deploy from the body of the missile just before impact.

Normal Hellfire missiles weigh ~100lb (46Kg) in total of which the warhead payload is actually a copper lined shapped charge that is not a big percentage at 18-20%.

Secondly the Hellfire IIRC gets upto around 950MPH or 425m/S. In terms of energy using Ek = 0.5MV^2, thats just over four million Joules liberated in around 2mS or ~2GWatt which is well into 'crispy fried critter' country.

The Hellfire was originally designed in the 1970's to destroy mainline Soviet tank armour. Thus a Hellfire would quite happily punch it's way through most buildings walls through a person and out the other side of the building... Sticking blades out the side of the missile would actually slow the missile progress down quite considerably, and would only add to the level of flying shrapnel, thus injuring many more people as collateral damage than just the missile with passive ballast replacing the usual warhead.

name.withheld.for.obvious.reasonsMay 12, 2019 11:32 PM

Risk to the classes, from the working to the most prominent functionary in the Judiciary, are all susceptible to the mechanisms of the new crypto-facist nation-state. We are witnessing the unwinding of the neo-classical western democratic republics around the world. Jurist prudence has been sacrificed to raw power. Justice cannot be realized when all the instruments and institutions of social and political justice are hostage to the security state.

Security (really a form of crypto-facism) is the replacement to law, facts cannot stand against the military intelligence state (MIS). Given that corporate support, vis-a-via "business records", means that the private sector relinquishes the sanctity of the person over to the state. Life has become transactional, not a social-political, egalitarian, and modern contract. As such courts will be incapable of rendering judgements that haven't been tainted by the MIS systems of oppression and control. Courts will become transactional; no argumentative basis in "context", joined with the "complete" factual record, is allowed to answer questions of justice or fairness. Courts will willing blind their eyes to the truth and obey the dictates of the MIS.

We are in the "dystopic concourse" awaiting the final boarding call for "Turnkey Tyranny" airline.

WeatherMay 13, 2019 12:11 AM

It looks more like a Sam, four booster stages to get to altitude, with single secondary, with large fins for movement in low atmosphere,
They might be saying ,stop fly sortys over our airspace, or we might shoot them down.

MarkHMay 13, 2019 1:43 AM


That purported missile sounds like something from the comic books I read as a kid! I share your doubts about the whole story ...

For what it's worth, the manufacturer puts the motor weight at about 31 pounds. Supposing the design goal was to maximize the proportion of fuel mass in that total, by the time one of those bad boys comes near its target, it's probably closer to 80 pounds.

I suspect that being within a few meters of the impact point is extremely violent, regardless of warhead configuration.

MarkHMay 13, 2019 3:42 AM

... more on the "Ginsu missile" ...

Both WaPo and WSJ (which apparently published the first story) would typically confirm news with at least one trusted source.

Assuming that the bare facts are correct, what might be the sense of such a gadget?

My best effort of imagination so far, is that if the target is outdoors, it might be useful to increase the missile's mechanical radius by a modest multiple. This would increase the probability of hitting the poor dumb sod at whom the missile was aimed, with perhaps less lethality to persons nearby than other typical warheads.

A distance-to-target sensor might suffice to trigger deployment at 100 meters or so, which could give adequate time for the "expansion" without dissipating much kinetic energy.

It's a guess, anyway ...

Clive RobinsonMay 13, 2019 6:00 AM

@ MarkH,

That purported missile sounds like something from the comic books I read as a kid! I share your doubts about the whole story ...

The quoted missile designation "R9X" does appear in other places but there is no usefull information as such. In some respects it's like the CIA bombs during both the Korean and Vietnam wars. That is all you realy got was a designator and a form factor for basic requirments like what weapons racks it would fit into as they were delivered to the weapons loaders outside of the normal chain. The actuall purpose be it propaganda leaflets or chemical/biological weapons of mass destruction was not given.

Thus I suspect there is quite a degree of "chinese whispers" space to play in. Which is what appears to be the case,

In one part they are talking about 6 swords, but the photographs of a car supposadly hit has only 4 potential cuts. Personally I do not believe that car was hit with a Hellfire missile of any kind. I suspect it might just have been a few Kg of free falling tungstan casing with the four cuts comming from the larger than average tail fins required for guidence rather than just stabilisation.

Because the basic logic holds, the all up weight for the standard Hellfire missile ~100lb give or take five pounds. Changing that is not realistic due to weapons racks/pylons etc. Of that weight ~20% is warhead the other 80% being motor, fuel, frame, guidence mechanics electronics and power source and seaker/follower sensors in the nose cone.

Thus we can safely say the 100lb of metal payload is an outright nonsense. Even if the journalist or person was talking about total mass on target, as you note it's still not realistically going to be 100lb.

But even if there was just a lump of concrete in a HDPE wrapper to put in the payload bay of the Hellfire the impact at upto 950MPH is going to do one heck of a lot of damage just from kinetic energy and breakup into shrapnel. But worse is the rocket fuel. for those with longer memories back to the Falklands war, the missile that hit HMS Sheffield did not sink it by impact. What sunk the Sheffield at the end of the day was the fires caused by the remaining rocket fuel[1] causing her to be virtually gutted and thus abandoned and the hull not being made sea worthy before being put under tow[2].

For obvious reasons the amount of additional energy in rocket fuel is going to have a marked effect after impact regardless of any weapons payload.

So honestly I realy can not see any way that collateral damage is going to be significantly effected in a downwards manner.

And that's all before we start talking about cutting blades being deployed outwards from what in reality is quite a small weapons bay in the missile, so I can not see them being the "long blades" of the article. Look at it this way to be long from a small bay they would not just need to be folded, they would need a support structure. So they might look somewhat like the inside of a small "hand bag umbrella", and as many people know they have a habit of turning inside out in even quite moderate winds. At 450m/S as the saying goes "I'm not feeling it".

But look again at that car in the photos, it shows no signs of burning or outward bowing you would expect from the energies involved of a rocket the size of a hellfire missile.

On what we have so far the story "is failing the sniff test". So I guess we are going to have to wait and see if any extra information surfaces about the R9X at some point in time.


[2] There are still stories going around that the Sheffield was deliberately scuttled, if that is true or not the evidence for it is lacking currently.

MarkHMay 13, 2019 9:38 AM


A few observations ...

• I estimated above that there's probably about 80 lbm of missile (certainly not all metal!) at the target.

• My guess is that unused propellant would be less significant. The Exocets used by Argentina had about 15 times the mass of Hellfire, and the capacity to fly for nearly 5 minutes. The motors must have been designed to burn continuously for that duration.

The faster Hellfire has about 15% of Exocet's range, and might perhaps be designed to burn out in a few seconds and continue its flight by coasting.

• Though I don't pretend to know the warhead design, since it seems to be an assassination weapon (intended for the softest of soft targets), a small number of "stiff arms" would seem a poor solution. If my concept of radius expansion is anywhere near the intention, an assembly of thin-gauge spring steel might do the job with only a few kilograms of material.

• The notion of cutting blades seems both sensational and perhaps unnecessary. If it's not designed as a penetrator, any structurally adequate profile will do: sharp, blunt, or padded with foam, an assembly impacting at that speed is going to be deadly.

As you say, we'll have to wait and see. Until authoritative information is published, we're limited to imagination and guesswork.

albertMay 13, 2019 10:22 AM

@John Goodwin,
Thanks for the links. I'm sure to use them at some point.

No argument on ionizing radiation exposure standards from the DOE, etc.. (although I think they are too high).

@witness comment lacks any substantive evidence, hence the UFO reply.

My main concern is non-ionizing radiation from microwaves, which is another can of worms.

. .. . .. --- ....

TatütataMay 13, 2019 2:26 PM

Francesca Mari, The Tinder Hacker, The Cut (a spinoff of New York Magazine), 10 May 2019

This story is about pranking male Tinder users.

Once finished, Sean ran two rather mischievous programs.

The first program had her dummy account indiscriminately swipe right on some 800 men. The second program was one that Sean had spent months coding. It paired men who matched with Haley with one another, in the order that they contacted her. A man would send a message thinking he was talking to Haley — he saw her pictures and profile — and instead another dude would receive the message, which, again, would appear to be coming from Haley. When the first dude addressed Haley by name, Sean’s code subbed in the name of the man receiving the message.

As soon as they ran this code, it was off to the races. Conversations streamed in, around 400 of them unfurling between the most unlikely people, the effect something like same-sex Tinder chat roulette.

Not sure whether there are profound security implications here, but I nevertheless think it's squiddy material.

Scamming dating sites is nothing new. Back in the 1980s, Minitel dating servers were staffed by professionals whose purpose was just to keep the marks connected and the meter running. Quite a few modern internet dating sites do exactly the same, and there is also a more sinister 419-like cottage industry.

The novelty in the present case appears to be that the prank is automated.

TIARA GNOMEMay 14, 2019 3:29 AM

TAILS had a new release on 6 May, 19 because their browser addon NOSCRIPT could be disabled in the previous release, which would then cause a vulnerability:

"Using HTML5 canvas fingerprinting, two or more collaborating websites can compare how graphics and text are displayed by your computer and determine whether two website visits are coming from the same computer or not."

So, if you are not using the latest version of TAILS, you might want to update. Either that or make sure that your addons are still working.

Clive RobinsonMay 14, 2019 6:31 AM

@ name.withheld...,

Do you remember HR4681 of the 2014 IAA wrapped in an omnibus poop-bag?

The one with this infamous Section[1],

    (Sec. 309) Requires each element of the intelligence community to adopt Attorney General-approved procedures for any intelligence collection activity not otherwise authorized by court order or subpoena that is reasonably anticipated to result in the acquisition of nonpublic telephone or electronic communications to or from a U.S. person, including communications in electronic storage, without the consent of a person who is a party to the communication.

    Requires the procedures to permit acquisition, retention, and dissemination of such communications but prohibit retention in excess of five years unless:

Along with a list of catch-alls so broad that nearly everything can legaly be retained, especially with the one on plaintext/encryption that has the universal excuse of "reasonably assumed"... Oh and the LEO exception.

Yes I remember it, and a lot of the nonsense that went with it, that also hid away,

    (Sec. 311) Requires the DNI to report to Congress regarding the feasibility of consolidating classified cyber threat indicator and malware sample databases in the intelligence community.

That is in effect a blanket for starting a new Cyber-Warfare weapon stockpiling. After all you can not report on the feasibility accurately, unless you build it...


Maxwell's DaemonMay 14, 2019 8:14 AM


I could generate up a report on the feasibility in pretty short order here given that managing such a database is part of what I do in infosec and, tossing in my extensive safety-critical engineering background here*, doing it right the first time isn't much of a stretch. Now, the reality is that this has to go through the standard acquisition process so, yes, that's what they'll do. Several times over and likely still not get it "right."


[* - About as safety-critical as handling level 3 biohazardous material and I've done that too.]

Clive RobinsonMay 14, 2019 11:10 AM

Updaye WhatsApp alert

It would appear that a Security Company has hacked into WhatsApp,

    Facebook's WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the US Department of Justice.

What the severity is for individual users or how long it's been a problem for them is still not realy known.

A90210May 14, 2019 3:22 PM

@Clive Robinson

"WhatsApp alert"

From your link

"Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app's phone call function [and may have worked even if targets didn't answer the call].

It said the spyware was developed by Israeli cyber surveillance company NSO Group - best known for its mobile surveillance tools - and affects both Android and iPhones. The FT said WhatsApp could not yet give an estimate of how many phones were targeted."

Other links

A90210May 14, 2019 3:40 PM

@Sherman Jerrold

From your link

"In 2018, the NSA performed 164,770 queries of Americans’ phone records, which is more than a five-fold increase over the previous year."

Under President Trump, we may be in some sort of Golden Age for law enforcement in the USA.

However, the article might have overlooked that, in addition, Hale might have been texting (SMS?) or phoning Scahill early in their relationship or been appearing on TV or documentaries.

Another link

A90210May 14, 2019 4:54 PM [Iran Would Be “Biggest Mistake It Has Ever Made] [Bomb Iran Come True? Ex-Iranian Ambassador Warns About U.S. Escalation]

"... JUAN GONZÁLEZ: Ambassador Mousavian, given the scenario you’ve laid out of the context of everything that has happened in the past, how do you see this latest news of these four commercial ships that were sabotaged and Iran claiming that they believe a third country is behind these attack? How do you see this as the buildup of a pretext to attacking Iran?

SEYED HOSSEIN MOUSAVIAN: Exactly. This is exactly what I have said for many months. How they would drag President Trump to a war. This would be such incidents in the region. It is not new. I have said for many months, in many articles and interviews, malicious attempts by conspirators, conspiracy attempts in order to blame either to attack the U.S. facilities in the region or to kill some American soldiers in the region or to attack American allies, facilities in the region. You just read last week some articles by Israeli papers saying that we have information that Iran is going to attack oil infrastructure of American allies in the region. This is the scenario. This is the conspiracy plan which they want to leave no option for President Trump unless to attack Iran. ..."

Clive RobinsonMay 14, 2019 6:07 PM


With respect to the quote you give,

    two or more collaborating websites can compare how graphics and text are displayed by your computer and determine whether two website visits are coming from the same computer or not.

If you search back far enough on this site you will find I was warning about the potential for such attacks in web browsers with two or more windows/tabs open some time before Google even started talking about Chrome.

As I pointed out in a conversation with @Nick P back then, the problem was that web browsers were in effect a single process with all that implies about lack of segregation in memory and I/O thus even communications on the wire (traffic analysis etc by various "injection" techniques).

What web browsers did back then and still effectively do today is "short circuit out" the OS native privacy / security segregations you would get with seperate processes, data and communications stacks etc.

As I've also warned the lack of easy segregation of "user roles" is further a major privacy / security weakening.

The fact that Google and similar who rely on such weaknesses for their profit models, also pay for features in web browsers one way or another should tell you the real reason Web Browsers are so insecure, and worse why the W3C stuffed so much obvious further weakening of users privacy in the HTML5 standard.

Depending on who you listen to, it appears that something like 75% of HTML5 is ripe for abuse of privacy thus security in the use of HTML5. But ot is also compleatly unnecessary for standard browser functionality.

My advice as with javascript and cookies would be "Don't support HTML5". If web sites using it find they are loosing traffic because they use HTML5 then they will stop using it. Which means that it will get depreciated for earlier less intrusive standards.

Even the 'alledged'[1] originator of Hypertext and Hyperlinks Tim Bearners-Lee is saying such lack of privacy is killing the Internet thus we should move on to greater privacy / security (which would also involve junking IP and the lower level network protocols as well).

However as long as the "data rapers" of Silicon Valley call the shots then we will never have privacy, security or the myriad of other things society needs to survive...

[1] As I've mentioned before there were well developed Hyperlink and Hypertext systems running in various places where Tim Bearners-Lee would have come into contact with them directly or indirectly. Two that I know off are the UK's National Physics Laboratory (NPL), and the UK's British Telecomm (BT) who used the work from NPL as the basis for their research and further development, some of which ended up in the Prestel System and later "ViewData" systems in the late 1970's and 1980's.

Clive RobinsonMay 14, 2019 7:13 PM

@ Maxwell's Daemon,

I could generate up a report on the feasibility in pretty short order here given that managing such a database is part of what I do in infosec and,...

I'm quite sure that not just you but many could do likewise, including those mentioned.

But that's not the reason it's there... The real reason is to give "backdoor" permission to start building such a database, under the excuse of "investigatory", "research", "experimental" or some such. Oh and to be sure they have it right, the system would have to be compleatly built to test "scalability" and be made available to the 'grunts' to ensure "usability" was also "in depth tested".

Yes I know it makes me sound like a "paranoid cynic" but my reasoning in the past in the same vein has mostly come true, with other bits well on the way currently. I guess most have no idea just how depressing it is thinking the worst of government agencies, and then have them perform even worse than that :-(

I sigh so often I sound like a special effect for a windy day :-S

I'm guessing that you are likewise well on the way as well.

DennisMay 14, 2019 10:57 PM

@Clive Robinson wrote, "It would appear that a Security Company has hacked into WhatsApp,"

This is likely a false flag op considering they could have probably bought the data directly from FB and such.

name.withheld.for.obvious.reasonsMay 15, 2019 2:26 AM

@ Clive

Yes Clive, that is it...

Before congress voted on the bill(s), the legislative summary had section 309 replaced with the text of section 310. This completely changed the nature/scope of the bill without notification to congress members. So if a critter from congress had read that summary they would not know that NON-PUBLIC, meaning PRIVATE, communications was all up for grabs. Massy attempted to inform members but he'd only come to the text just prior to the vote. In other words, someone gamed the legislative process and snuck this fecal matter into legislative history. THIS IS THE DELIBERATE SUBVERSION OF REPRESENTATIVE DEMOCRACY--FULL STOP.

I was unable to determine the origin of this act, but, I did get another person to verify the checksums of the versions on the site. Thus we verified that a change had been introduced, without some kind of FOXACID type of subversion.

TIARA GNOMEMay 15, 2019 10:25 PM

@ Clive Robinson

Regarding what you said:

"If you search back far enough on this site you will find I was warning about the potential for such attacks in web browsers with two or more windows/tabs open some time before Google even started talking about Chrome."

That is very interesting. Being ahead of the game is especially valuable in these lines of work and areas of concern, and people like you who can do it should be commended and encouraged to keep on keeping on--especially those who are on defense as "public-interest technologists" as Bruce Schneier is.

It is time to act. Out of everything that has happened since the Internet began, the current quashing of free speech by the likes of Facebook is the one thing that we cannot let happen no matter what. En masse surveillance with impunity by people like them--cloaked in user agreements that no one reads-- has been bad enough, but now the active (active measure) silencing of people, the deception these jokers use, the self-serving media onslaught they bankroll, it is all leading to a very dark place that is completely against civic society.

We have been here before.

Here is John Milton quoting Euripides in Aeropagitica:

This is true liberty, when free-born men,

Having to advise the public, may speak free,

Which he who can, and will, deserves high praise;

Who neither can, nor will, may hold his peace:

What can be juster in a state than this?

--Euripides, Hicetid.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.